Closed FOSSAware closed 3 years ago
Hi, thanks for notifying. None of the above are in our dependency list. These are sub-dependencies. Can you share where these vulnerabilities are documented? Any suggestion how we can fix this?
Hi Yoav, Although these are transitive dependencies of a direct dependencies that you are using. You should have a complete risk review of the product after the build. I ran it with software composition analysis tool and got these open source components reported as vulnerable. Do you have such tool as well?
Zvika
Zvika Ronen via Outlook for Androidhttps://aka.ms/ghei36
From: Yoav Kadosh @.> Sent: Tuesday, May 4, 2021 5:13:05 PM To: open-amdocs/webrix-docs @.> Cc: Zvika Ronen @.>; Author @.> Subject: Re: [open-amdocs/webrix-docs] The project has critical & high vulnerabilities in the dependencies (#34)
Hi, thanks for notifying. None of the above are in our dependency list. These are sub-dependencies. Can you share where these vulnerabilities are documented? Any suggestion how we can fix this?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/open-amdocs/webrix-docs/issues/34#issuecomment-831974447, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASQHPZCW5CXSJF57RGP5ILTTL76HDANCNFSM44CQVOWQ.
Yes, we do, it's called npm audit
, but it reported far fewer results than what you reported.
This is why I asked where these vulnerabilities have been reported.
The vulnerabilities were reported on the Snyk tool. I suggest checking with pormal tool and not only with the npm audit.
Zvika Ronen Chief Technology Officer (CTO) Tel: +972-52-426-5306 (Mobile) @.***D74209.4A35D5E0] www.fossaware.comhttp://www.fossaware.com “The greatest risk is the one you are not aware of”
From: Yoav Kadosh @.> Sent: Wednesday, 5 May 2021 11:12 To: open-amdocs/webrix-docs @.> Cc: Zvika Ronen @.>; Author @.> Subject: Re: [open-amdocs/webrix-docs] The project has critical & high vulnerabilities in the dependencies (#34)
Yes, we do, it's called npm audit, but it reported far fewer results than what you reported. This is why I asked where these vulnerabilities reported.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/open-amdocs/webrix-docs/issues/34#issuecomment-832500400, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASQHPZBCFASAI6EJWSQQLQDTMD4V3ANCNFSM44CQVOWQ.
Thanks for reporting Zvika, we will look into it 👍
I found known published vulnerabilities in the following dependencies: Merge, cryptiles, handlebars, elliptic, lodash, content, fresh, hapi, hoek, is-svg, merge-deep, moment, node-forge, ssri, node-uuid, websocket-extensions, yargs-parser
please choose clean versions, there are too many...