Snyk failing in Pipeline due to jsonpath-plus issue - Githubissues

orval-labs / orval

orval is able to generate client with appropriate type-signatures (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification, either in yaml or json formats. 🍺

https://orval.dev

MIT License

3.18k stars 336 forks source link

Snyk failing in Pipeline due to jsonpath-plus issue #1661

Closed GRenwickBrambles closed 6 days ago

GRenwickBrambles commented 1 month ago

What are the steps to reproduce this issue?

Run snyk test --severity-threshold=high on package after installing

What happens?

Issues with no direct upgrade or patch: ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884] in jsonpath-plus@6.0.1 introduced by orval@7.1.1 > @orval/angular@7.1.1 > @orval/core@7.1.1 > @ibm-cloud/openapi-ruleset@1.23.1 > @stoplight/spectral-formats@1.7.0 > @stoplight/spectral-core@1.19.1 > jsonpath-plus@7.1.0 and 1 other path(s) This issue was fixed in versions: 10.0.0

What were you expecting to happen?

Snyk to be fine with all Orval dependencies

Any logs, error output, etc?

https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

Any other comments?

What versions are you using?

npmPackages: axios: ^1.7.7 => 1.7.7 msw: ^2.4.9 => 2.4.9 orval: ^7.1.1 => 7.1.1

melloware commented 1 month ago

Updating depedencies of dependencies can be tricky but PR is welcome!

melloware commented 1 month ago

Mariscal6 commented 1 month ago

it looks like the fix is there but not tagged yet

https://github.com/stoplightio/spectral/commit/5205058d1c9b48e6785b7744e2e2716cc7f1e0f4

melloware commented 1 month ago

@Mariscal6 thanks for keeping your eye on it and let us know when its released so we can bump!

RasmusStaal1227 commented 1 month ago

Hello @melloware, it looks like the PR has been merged :)

melloware commented 1 month ago

Nice now Spectral needs to do a release.

jacquesg commented 1 month ago

There is another PR that needs to land in spectral: https://github.com/stoplightio/spectral/pull/2712

melloware commented 1 month ago

OK somebody let me know when Spectral releases.

mackerson123 commented 3 weeks ago

@melloware looks like the PR has landed :)

melloware commented 3 weeks ago

Yep but spectral has not done a release yet...

micael-mbagira-parloa commented 1 week ago

@melloware spectral has released the new version

melloware commented 1 week ago

I will look at this today!

melloware commented 1 week ago

PR is here but looking at it it looks like IBM OPenApiTools is what needs to update to the latest Spectral? https://github.com/orval-labs/orval/pull/1701/files

micael-mbagira-parloa commented 1 week ago

@melloware correct, I will try to open a PR there tomorrow.

jacquesg commented 1 week ago

I think they have: https://github.com/IBM/openapi-validator/releases/tag/ibm-openapi-validator%401.27.0

melloware commented 1 week ago

its actually not validator its @ibm-cloud/openapi-ruleset which I updated to 1.25.0 but still not sure that fixes it.

jacquesg commented 1 week ago

Indeed, I've created a PR to update the deps there:

https://github.com/IBM/openapi-validator/pull/697

jacquesg commented 6 days ago

@melloware version 1.25.1 should now be out.

melloware commented 6 days ago

PR updated! https://github.com/orval-labs/orval/pull/1702

melloware commented 3 days ago

OK 7.3.0 is out if everyone wants to try it.