WhiteSource warning - jQuery Vulnerability CVE-2020-11022

[scott-m-sarsfield]

(Doing due diligence.). It looks like this library was pinged for including a version of jQuery that is insecure. ( < 3.5.0 )

Within es6-shim/test-sham/index.html

https://nvd.nist.gov/vuln/detail/CVE-2020-11022

I realize that this is a test folder, so it doesn't actually impact the security of projects using this, but it would be nice to upgrade the version to get rid of this warning (or find a way to ignore test files when installing as a dependency).

[ljharb]

I'm not sure why the warning would appear at all for anyone but the developers of es6-shim (mainly me), given that jquery is a dev dependency, so consumers would never have it installed?

Additionally, like many CVEs in the JS world, this CVE is not actually a vulnerability unless it's used improperly (at which case it's a vulnerability in the thing using jQuery, not jQuery itself). In other words, this CVE should never have been filed on jQuery directly in the first place. Our use of jQuery doesn't involve unsanitized user input, so it's a false positive.

[scott-m-sarsfield]

Well, I'm not really sure what whitesource has going on under the hood.

To be fair, when I did a fresh install (yarn), the file was still there.

It picked up jquery from this: https://github.com/paulmillr/es6-shim/blob/0d47be15894bb0f95068545aed69d388be8ce7d0/test-sham/index.html#L6

And for futher context, there's a number of in-between dependencies (Although I don't believe they'd impact what's in your node_modules folder.)

└─┬ @storybook/react@5.3.18
  └─┬ @storybook/core@5.3.18
    └─┬ airbnb-js-shims@2.2.1
      └── es6-shim@0.35.5

That being said, I very much agree with you that it's not a real vulnerability.

[ljharb]

The file is certainly there, but the library isn't npm-installed, and parsing HTML for script tags seems like a very strange choice for things inside node_modules.

If a later version of jQuery works in IE 6-9, then I'm happy to update it ¯\_(ツ)_/¯