search

paulmillr / chokidar

Minimal and efficient cross-platform file watching library
https://paulmillr.com
MIT License
11.04k stars 586 forks source link

There is no CVE-2021-35065, Chokidar is not vulnerable #1191

Closed paulmillr closed 5 months ago

paulmillr commented 2 years ago

CVE-2021-35065 only applies to glob-parent 5.1.1 and 6.0.0, it does not apply to 5.1.2 which we are using. glob-parent 5.1.2 is not vulnerable. We will not update to 6.0 because chokidar 3 needs to support nodejs v8.

If your tool tells you chokidar is vulnerable, report issues to your build tool. White Source Software is particular piece of shit since it does not do proper checks.

https://github.com/github/advisory-database/pull/531 https://github.com/github/advisory-database/pull/533

dzzk commented 2 years ago

We will not update to 6.0 because chokidar 3 needs to support nodejs v8.

Do you mean NodeJS Carbon v8x.x the last time updated on 2019-12-17 or you are talking about v8 engine itself?

And thank you for the quick response you did.

paulmillr commented 2 years ago

yes, we will still support node from 2019, because chokidar is used by tens of millions of users and some of them cannot upgrade easily their child deps.

dzzk commented 2 years ago

Isn't it a nice idea if I will make pr for chokidar 4 with all possible changes for greater nodejs versions within your repo? I do not want to waste GitHub environment for nothing and increase entropy in Universe, but need to have 6.0.2 version somewhere.

What do you think?

paulmillr commented 2 years ago

Chokidar 4 will need a typescript rewrite probably. I don't think it matters without big changes

paulmillr commented 2 years ago

1195

mtarnawa commented 1 year ago

@paulmillr https://nvd.nist.gov/vuln/detail/CVE-2021-35065#range-8736225

Just to clarify - the NVD record was modified couple of days ago to include also 5.1.2 hence the inflow of new issues. I understand that the official stance is still that 5.1.2 is not vulnerable? 

    cpe:2.3:a:gulpjs:glob-parent:-:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:1.0.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:1.1.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:1.2.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:1.3.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:2.0.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:3.0.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:3.0.1:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:3.1.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:4.0.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:5.0.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:5.1.0:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:5.1.1:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:5.1.2:*:*:*:*:node.js:*:*
    cpe:2.3:a:gulpjs:glob-parent:6.0.0:*:*:*:*:node.js:*:*
paulmillr commented 1 year ago

@mtarnawa read the first post one more time. It doesn't matter who posts this stuff.

mtarnawa commented 1 year ago

@mtarnawa read the first post one more time. It doesn't matter who posts this stuff.

I did read it. As well as the relevant issue in glob-parent project from the year back. I was surprised to see CPEs were updated suddently in the last couple of days that's why I wanted to reconfirm - it's no longer about vendor of security tool xyz being overzealous, but it's now being flagged in NVD which is bad (whole other level of bad compared to npm audit that was mentioned or GH advisories), but from what you are saying - still incorrect. Thanks.

llpaul commented 1 year ago

It appears that 5.1.2 and 6.0.1 took very different paths to resolve the vulnerability, and there is much discussion in the 6.0.1 pull request which seems to imply the approach in 5.1.2 may really be a partial fix and have issues of its own. Its not clear to me if that is why the NVD was updated to include 5.1.2; I've looked, but haven't found any comment accompanying the update. I do see that Snyk still lists 5.1.2 as not vulnerable, however, so my inclination is to trust them. In fact, according to Snyk, CVE-2021-35065 only applies to 6.0.0, CVE-2020-28469 is the CVE that covers all versions of 5.1.1 and lower

NodeJS v8 reached end of life in Dec 31, 2019. Doesn't it make sense to adopt the latest version of gulp/glob-parent and let those who need to use Node 8 just use an old version of chokidar? Either way they're choosing to use unsupported libraries. And its pretty clear that glob-parent is not going to support two codelines, so I would think you wouldn't want to get too far out of date with it.

llpaul commented 1 year ago

I have sent the following note on the NIST page requesting they fix the issue:

I believe https://nvd.nist.gov/vuln/detail/CVE-2021-35065 was incorrectly updated recently. It now indicates that all versions < 6.0.1 are vulnerable.

I believe that CVE-2021-35065 only applies to version 6.0.0. Versions before 6.0.0 are covered by CVE-2020-28469 (5.1.2 fixes the issue, so it applies to versions <= 5.1.1)

Snyk makes this clear on their website: https://security.snyk.io/package/npm/glob-parent

And according to the NIST site, snyk appears to be the authoritative source for these vulnerabilities.

paulmillr commented 1 year ago

Snyk is not more authoritative than others. They had these errors as well, last year. Most of these "vulnerability scanners" are useless.