search

nasa / mmt

NASA's Metadata Management Tool.
Apache License 2.0
87 stars 36 forks source link

MMT-3831: MMT React Vulnerabilities July 2024 #1278

Closed tle1989 closed 3 months ago

tle1989 commented 3 months ago

Overview

What is the feature?

MMT React Vulnerabilities Reported by Snyk (high & fixable) on July 18, 2024 CWE-1333: fast-xml-parser CWE-1333: micromatch

https://app.snyk.io/org/esdis-cumulus-core-gibs-cmr-etc./project/74c1d039-9245-4c53-8786-e8cd1c1713d0

Screenshot 2024-08-09 at 1 49 11 PM

What is the Solution?

Update fast-xml-parser to 4.2.5 Update micromatch to 4.0.6

By adding to package.json

"overrides": { "fast-xml-parser": "4.4.1", "micromatch": "^4.0.4" }

Then run $npm install

Will fix these 2 vulnerabilities on this branch MMT-3831

What areas of the application does this impact?

Affect versions of fast-xml-parser, and micromatch packages are vulnerable to Regular Expression Denial of Service (ReDoS)

Testing

Reproduction steps

BEFORE THE FIX On branch MMT-3390 Run npm audit

Screenshot 2024-08-09 at 1 49 38 PM

Note that dicer, request, tough-cookie vulnerabilities currently have no fix available

Screenshot 2024-07-25 at 9 49 29 AM

No fix available for this one GHSA-977x-g7h5-7qgw

Screenshot 2024-08-09 at 1 52 24 PM

AFTER THE FIX Pull branch MMT-3831 Run npm audit

Screenshot 2024-07-25 at 9 53 39 AM

We currently still have No fix available for dicer, request, tough-cookie vulnerabilities, but ast-xml-parser, micromatch to 4.0.6 are being fixed according to the AC of the ticket

AFTER THE FIX Pull branch MMT-3831 Run npm audit

Screenshot 2024-07-25 at 9 53 39 AM

We currently still have No fix available for dicer, request, tough-cookie vulnerabilities, but ast-xml-parser, micromatch to 4.0.6 are being fixed according to the AC of the ticket

Screenshot 2024-08-09 at 1 50 23 PM

AFTER THE FIX Pull branch MMT-3831 Run npm audit

Screenshot 2024-08-09 at 1 51 19 PM

Checklist

codecov-commenter commented 3 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 97.72%. Comparing base (925bba2) to head (e13ea78). Report is 2 commits behind head on MMT-3390.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## MMT-3390 #1278 +/- ## ========================================= Coverage 97.72% 97.72% ========================================= Files 359 359 Lines 5404 5416 +12 Branches 1114 1133 +19 ========================================= + Hits 5281 5293 +12 Misses 122 122 Partials 1 1 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.