search

usdigitalresponse / project-papua

Prototype Pandemic Unemployment Assistance (PUA) claim service
https://papua.usdigitalresponse.org/
Apache License 2.0
10 stars 5 forks source link

Vulnerable Dependency Check #114

Open dscrobonia opened 4 years ago

dscrobonia commented 4 years ago

Ran snyk test. Two prototype pollution vulns. One patchable.

➜  project-papua git:(master) snyk test

Testing /Users/david.scrobonia/dev/src/github.com/usdigitalresponse/project-papua...

Tested 1583 dependencies for known issues, found 3 issues, 4969 vulnerable paths.

Patchable issues:

  Patch available for lodash@4.17.15
  ✗ Prototype Pollution (new) [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-567746] in lodash@4.17.15
    introduced by lodash@4.17.15 and 4963 other path(s)

Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381] in yargs-parser@11.1.1
    introduced by react-scripts@3.4.1 > webpack-dev-server@3.10.3 > yargs@12.0.5 > yargs-parser@11.1.1
  This issue was fixed in versions: 13.1.2, 15.0.1, 18.1.1

License issues:

  ✗ EPL-1.0 license (new) [Medium Severity][https://snyk.io/vuln/snyk:lic:npm:paho-mqtt:EPL-1.0] in paho-mqtt@1.1.0
    introduced by aws-amplify@3.0.9 > @aws-amplify/pubsub@3.0.9 > paho-mqtt@1.1.0 and 3 other path(s)

Organization:      segment-pro
Package manager:   yarn
Target file:       yarn.lock
Project name:      project-papua-ts
Open source:       no
Project path:      /Users/david.scrobonia/dev/src/github.com/usdigitalresponse/project-papua
Licenses:          enabled

Run `snyk wizard` to address these issues.
dscrobonia commented 4 years ago

Ran dependency-check which only reported 1 vuln, the same prototype pollution in the yang parser image