Open saghaulor opened 2 years ago
@saghaulor unfortunately this isn't supported in the Snyk product and was written here by mistake. Will update the FAQ, sorry for your inconvenience :pray:
Dear @saghaulor,
As @supriza wrote, the documentation was false. This is not (yet) supported by Snyk product.
Using nopp is still recommended as a remediation. Looking at the library docs and your changes, it looks to me you have added the library correctly, so the vulnerabilities should be eliminated. However, we cannot yet verify this automatically when scanning your project, so we still show them. What you can do to prevent Snyk from reporting these issues is to ignore the vulnerabilities. You could do that for example by adding a .snyk policy file to your project and listing the reported Prototype Pollution vulnerabilities. You can read more about it here: https://docs.snyk.io/features/fixing-and-prioritizing-issues/issue-management/ignore-issues#ignoring-issues-with-the-.snyk-file. In the reported project, the vulnerabilities to ignore are: SNYK-JS-XMLDOMXMLDOM-3042243, SNYK-JS-SIMPLEPLIST-2413671 and SNYK-JS-UNSETVALUE-2400660.
Is there an existing issue for this?
Description of the bug
Per https://github.com/snyk-labs/nopp#faq,
However, Snyk still reports prototype pollution issues after adding nopp package.
Steps To Reproduce
Followed the directions per the readme, reran Snyk scan, Snyk is still reporting prototype pollution vulnerabilities.
Additional Information
https://github.com/segmentio/analytics-react-native-ecommerce-samples/blob/main/final-app-ecommerce/package.json#L26 https://github.com/segmentio/analytics-react-native-ecommerce-samples/blob/main/final-app-ecommerce/yarn.lock#L5584 https://github.com/segmentio/analytics-react-native-ecommerce-samples/blob/main/final-app-ecommerce/App.tsx#L21