open-amdocs / webrix-docs

The documentation site of Webrix
https://webrix.amdocs.com
10 stars 9 forks source link

The project has critical & high vulnerabilities in the dependencies #34

Closed FOSSAware closed 3 years ago

FOSSAware commented 3 years ago

I found known published vulnerabilities in the following dependencies: Merge, cryptiles, handlebars, elliptic, lodash, content, fresh, hapi, hoek, is-svg, merge-deep, moment, node-forge, ssri, node-uuid, websocket-extensions, yargs-parser

please choose clean versions, there are too many...

ykadosh commented 3 years ago

Hi, thanks for notifying. None of the above are in our dependency list. These are sub-dependencies. Can you share where these vulnerabilities are documented? Any suggestion how we can fix this?

FOSSAware commented 3 years ago

Hi Yoav, Although these are transitive dependencies of a direct dependencies that you are using. You should have a complete risk review of the product after the build. I ran it with software composition analysis tool and got these open source components reported as vulnerable. Do you have such tool as well?

Zvika

Zvika Ronen via Outlook for Androidhttps://aka.ms/ghei36


From: Yoav Kadosh @.> Sent: Tuesday, May 4, 2021 5:13:05 PM To: open-amdocs/webrix-docs @.> Cc: Zvika Ronen @.>; Author @.> Subject: Re: [open-amdocs/webrix-docs] The project has critical & high vulnerabilities in the dependencies (#34)

Hi, thanks for notifying. None of the above are in our dependency list. These are sub-dependencies. Can you share where these vulnerabilities are documented? Any suggestion how we can fix this?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/open-amdocs/webrix-docs/issues/34#issuecomment-831974447, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASQHPZCW5CXSJF57RGP5ILTTL76HDANCNFSM44CQVOWQ.

ykadosh commented 3 years ago

Yes, we do, it's called npm audit, but it reported far fewer results than what you reported. This is why I asked where these vulnerabilities have been reported.

FOSSAware commented 3 years ago

The vulnerabilities were reported on the Snyk tool. I suggest checking with pormal tool and not only with the npm audit.

Zvika Ronen Chief Technology Officer (CTO) Tel: +972-52-426-5306 (Mobile) @.***D74209.4A35D5E0] www.fossaware.comhttp://www.fossaware.com “The greatest risk is the one you are not aware of”

From: Yoav Kadosh @.> Sent: Wednesday, 5 May 2021 11:12 To: open-amdocs/webrix-docs @.> Cc: Zvika Ronen @.>; Author @.> Subject: Re: [open-amdocs/webrix-docs] The project has critical & high vulnerabilities in the dependencies (#34)

Yes, we do, it's called npm audit, but it reported far fewer results than what you reported. This is why I asked where these vulnerabilities reported.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/open-amdocs/webrix-docs/issues/34#issuecomment-832500400, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASQHPZBCFASAI6EJWSQQLQDTMD4V3ANCNFSM44CQVOWQ.

ykadosh commented 3 years ago

Thanks for reporting Zvika, we will look into it 👍