search

snyk-labs / nopp

Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code
MIT License
25 stars 5 forks source link

[BUG]: Snyk still reports prototype pollution issues after adding nopp #4

Open saghaulor opened 2 years ago

saghaulor commented 2 years ago

Is there an existing issue for this?

Description of the bug

Per https://github.com/snyk-labs/nopp#faq,

If you are a Snyk user, we are able to detect the usage of the nopp package as part of your application and ignore prototype pollution vulnerabilities in your application code automatically, and help reduce the noise level of your overall security alerts.

However, Snyk still reports prototype pollution issues after adding nopp package.

Steps To Reproduce

Followed the directions per the readme, reran Snyk scan, Snyk is still reporting prototype pollution vulnerabilities.

Additional Information

https://github.com/segmentio/analytics-react-native-ecommerce-samples/blob/main/final-app-ecommerce/package.json#L26 https://github.com/segmentio/analytics-react-native-ecommerce-samples/blob/main/final-app-ecommerce/yarn.lock#L5584 https://github.com/segmentio/analytics-react-native-ecommerce-samples/blob/main/final-app-ecommerce/App.tsx#L21

supriza commented 1 year ago

@saghaulor unfortunately this isn't supported in the Snyk product and was written here by mistake. Will update the FAQ, sorry for your inconvenience :pray:

klesniewski commented 1 year ago

Dear @saghaulor,

As @supriza wrote, the documentation was false. This is not (yet) supported by Snyk product.

Using nopp is still recommended as a remediation. Looking at the library docs and your changes, it looks to me you have added the library correctly, so the vulnerabilities should be eliminated. However, we cannot yet verify this automatically when scanning your project, so we still show them. What you can do to prevent Snyk from reporting these issues is to ignore the vulnerabilities. You could do that for example by adding a .snyk policy file to your project and listing the reported Prototype Pollution vulnerabilities. You can read more about it here: https://docs.snyk.io/features/fixing-and-prioritizing-issues/issue-management/ignore-issues#ignoring-issues-with-the-.snyk-file. In the reported project, the vulnerabilities to ignore are: SNYK-JS-XMLDOMXMLDOM-3042243, SNYK-JS-SIMPLEPLIST-2413671 and SNYK-JS-UNSETVALUE-2400660.