From 4770db20afb086998bb700d0ae8d0c3730d5ec5c Mon Sep 17 00:00:00 2001 From: renejal Date: Thu, 16 Nov 2023 15:44:24 -0500 Subject: [PATCH 01/31] new parser Jfrog Xray on Demand Binary Scan --- .../file/jfrog_xray_on_demand_binary_scan.md | 9 + dojo/fixtures/defect_dojo_sample_data.json | 10 + dojo/settings/settings.dist.py | 2 + .../__init__.py | 0 .../parser.py | 224 ++++++++++++++++++ .../many_vulns.json | 111 +++++++++ .../one_vuln.json | 43 ++++ ...jfrog_xray_on_demand_binary_scan_parser.py | 33 +++ 8 files changed, 432 insertions(+) create mode 100644 docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md create mode 100644 dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py create mode 100644 dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json create mode 100644 unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md new file mode 100644 index 00000000000..e1e2c6097dd --- /dev/null +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -0,0 +1,9 @@ +--- +title: "Jfrog xray on demand binary Scan" +toc_hide: true +--- +Import the JSON format for the \"Jfrog xray on demand binary Scan\" file. Use this importer for Xray version 2.X +-- + jfron file documentation + +https://jfrog.com/help/r/jfrog-cli/on-demand-binary-scan \ No newline at end of file diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index 3db55c5d9d2..14ce0dca4fe 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -8620,6 +8620,16 @@ } }, { + "model": "dojo.test_type", + "pk": 149, + "fields": { + "name": "Jfrog Xray On Demand Binary Scan", + "static_tool": false, + "dynamic_tool": false, + "active": true + } + }, + { "model": "dojo.tagulous_product_tags", "pk": 1, "fields": { diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 4f0716a5549..d9b108fbfdf 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1223,6 +1223,7 @@ def saml2_attrib_map_format(dict): 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], 'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'], 'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'], + 'Jfrog Xray On Demand Binary Scan': ["title", "description", "component_name", "component_version"], 'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'], # for now we use file_path as there is no attribute for "service" 'AWS Security Hub Scan': ['unique_id_from_tool'], 'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'], @@ -1415,6 +1416,7 @@ def saml2_attrib_map_format(dict): 'Checkov Scan': DEDUPE_ALGO_HASH_CODE, 'SpotBugs Scan': DEDUPE_ALGO_HASH_CODE, 'JFrog Xray Unified Scan': DEDUPE_ALGO_HASH_CODE, + 'Jfrog Xray On Demand Binary Scan': DEDUPE_ALGO_HASH_CODE, 'Scout Suite Scan': DEDUPE_ALGO_HASH_CODE, 'AWS Security Hub Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'Meterian Scan': DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py new file mode 100644 index 00000000000..8157851d151 --- /dev/null +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -0,0 +1,224 @@ +import json +import re + +from cvss import CVSS3 + +from dojo.models import Finding + + +class JfrogXrayOnDemandBinaryScanParser(object): + """jfrog_xray_scan JSON reports""" + + def get_scan_types(self): + return ["Jfrog Xray On Demand Binary Scan"] + + def get_label_for_scan_types(self, scan_type): + return scan_type + + def get_description_for_scan_types(self, scan_type): + return "Import Xray findings in JSON format." + + def get_findings(self, json_output, test): + tree = json.load(json_output) + return self.get_items(tree, test) + + def get_items(self, tree, test): + items = {} + for data in tree: + if "vulnerabilities" in data: + vulnerability_tree = data["vulnerabilities"] + + for node in vulnerability_tree: + item = get_item(node, test) + + title_cve = "No CVE" + if "cves" in tree: + if "cve" in tree["cves"][0]: + title_cve = tree["cve"] + + unique_key = node.get("issue_id", "") + node.get("summary", "") + title_cve + items[unique_key] = item + + return list(items.values()) + + +def decode_cwe_number(value): + match = re.match(r"CWE-\d+", value, re.IGNORECASE) + if match is None: + return 0 + return int(match[0].rsplit("-")[1]) + + +def get_servery(vulnerability): + if "severity" in vulnerability: + if vulnerability["severity"] == "Unknown": + severity = "Info" + else: + severity = vulnerability["severity"].title() + else: + severity = "Info" + return severity + + +def get_references(vulnerability): + ref = "" + if "references" in vulnerability: + references = vulnerability["references"] + for reference in references: + ref += reference + "\n" + return ref + + +def get_remediation(extended_information): + remediation = "" + if "remediation" in extended_information: + remediation = "\n**Remediation**\n" + remediation += extended_information["remediation"] + "\n" + return remediation + + +def get_severity_justification(vulnerability): + severity_desc = "" + remediation = "" + extended_information = vulnerability.get("extended_information") + if extended_information: + remediation += get_remediation(extended_information) + if "short_description" in extended_information: + severity_desc = "**short description**\n" + severity_desc += extended_information["short_description"] + "\n" + if "full_description" in extended_information: + severity_desc = "**full description**\n" + severity_desc += extended_information["full_description"] + "\n" + if "jfrog_research_severity" in extended_information: + severity_desc = "**jfrog research severity**\n" + severity_desc += extended_information["jfrog_research_severity"] + "\n" + if "jfrog_research_severity_reasons" in extended_information: + severity_desc = "**jfrog research severity reasons**\n" + for item in extended_information["jfrog_research_severity_reasons"]: + severity_desc += item["name"] + "\n" if item.get("name") else "" + severity_desc += item["description"] + "\n" if item.get("description") else "" + return severity_desc, remediation + + +def get_component(vulnerability): + mitigation = "" + gav = "" + impact = "**Impact paths**\n" + if "components" in vulnerability: + components = vulnerability["components"] + gav = next(iter(components)) + component = components[gav] + fixed_versions = component.get("fixed_versions") + if fixed_versions: + mitigation = "**Versions containing a fix:**\n" + mitigation = mitigation + "\n".join(fixed_versions) + if "impact_paths" in component: + impact_paths = component["impact_paths"][0] + for item in impact_paths: + if "component_id" in item: + component_id = item["component_id"] + impact = impact + "\n" + component_id + if "full_path" in item: + full_path = item["full_path"] + impact = impact + "\n" + full_path + return gav, mitigation, impact + + +def get_version_vulnerability(vulnerability): + if "vulnerable_versions" in vulnerability["component_versions"]: + extra_desc = "\n**Versions that are vulnerable:**\n" + extra_desc += "\n".join(vulnerability["component_versions"]["vulnerable_versions"]) + return extra_desc + return "None" + + +def get_provider(vulnerabiity): + if "component_versions" in vulnerabiity: + provider = vulnerabiity.get("component_versions").get("more_details").get("provider") + if provider: + provider += f"\n**Provider:** {provider}" + return provider + return "" + + +def get_etx(vulnerability): + if "EXT" in vulnerability: + return vulnerability["EXT"] + return "" + + +def get_cve(vulnerability): + if "cves" in vulnerability: + cves = vulnerability["cves"] + return cves + return [] + + +def get_item(vulnerability, test): + severity_justification, remediation = get_severity_justification(vulnerability) + severity = get_servery(vulnerability) + references = get_references(vulnerability) + vulnerability_ids = list() + cwe = None + cvssv3 = None + cvss_v3 = "No CVSS v3 score." + extra_desc = "" + # Some entries have no CVE entries, despite they exist. Example CVE-2017-1000502. + cves = get_cve(vulnerability) + if len(cves) > 0: + for item in cves: + if item.get("cve"): + vulnerability_ids.append(item.get("cve")) + # take only the first one for now, limitation of DD model. + if len(cves[0].get("cwe", [])) > 0: + cwe = decode_cwe_number(cves[0].get("cwe", [])[0]) + if "cvss_v3" in cves[0]: + cvss_v3 = cves[0]["cvss_v3"] + # this dedicated package will clean the vector + cvssv3 = CVSS3.from_rh_vector(cvss_v3).clean_vector() + + extra_desc += get_provider(vulnerability) + component_name, mitigation, impact = get_component(vulnerability) + component_version = get_etx(vulnerability) + + # The 'id' field is empty? (at least in my sample file) + if vulnerability_ids: + if vulnerability.get("id"): + title = ( + vulnerability["id"] + + " - " + + str(vulnerability_ids[0]) + + " - " + + component_name + + ":" + + component_version + ) + else: + title = str(vulnerability_ids[0]) + " - " + component_name + ":" + component_version + else: + if vulnerability.get("id"): + title = vulnerability["id"] + " - " + component_name + ":" + component_version + else: + title = "No CVE - " + component_name + ":" + component_version + + # create the finding object + finding = Finding( + title=title, + cwe=cwe, + test=test, + severity_justification=severity_justification, + severity=severity, + description=(vulnerability["summary"] + extra_desc).strip(), + mitigation=mitigation + remediation, + component_name=component_name, + component_version=component_version, + impact=impact, + references=references, + file_path=vulnerability.get("source_comp_id"), + static_finding=True, + dynamic_finding=False, + cvssv3=cvssv3, + ) + if vulnerability_ids: + finding.unsaved_vulnerability_ids = vulnerability_ids + return finding \ No newline at end of file diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json new file mode 100644 index 00000000000..be534784f7f --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json @@ -0,0 +1,111 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2017-8923", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Summary of test", + "severity": "High", + "components": { + "gav://org.yaml:snakeyaml:1.16": { + "fixed_versions": [ + "[1.26]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.com" + }, + { + "component_id": "gav://co.com.test.com", + "full_path": "lib/snakeyaml-1.16.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-92904", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "test_item": { + "fixed_versions": [ + "[1.2.8.RELEASE]", + "[1.3.1.RELEASE]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test.com.co", + "full_path": "lib/test/libtest" + } + ] + ] + } + }, + "issue_id": "XRAY-79870", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json new file mode 100644 index 00000000000..09bd2903a8f --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json @@ -0,0 +1,43 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] \ No newline at end of file diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py new file mode 100644 index 00000000000..d39f51c2c66 --- /dev/null +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -0,0 +1,33 @@ +from ..dojo_test_case import DojoTestCase +from dojo.models import Test, Finding +from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ + JfrogXrayOnDemandBinaryScanParser, decode_cwe_number + + +class TestJfrogXrayOnDemandBinaryScanParser(DojoTestCase): + + def test_parse_file_with_one_vuln(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json") + parser = JfrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(1, len(findings)) + item: Finding = findings[0] + self.assertEqual("gav://test", item.component_name) + self.assertEqual("CVE-2014-0114", item.unsaved_vulnerability_ids[0]) + self.assertEqual("High", item.severity) + + def test_parse_file_with_many_vulns(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json") + parser = JfrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(3, len(findings)) + + def test_decode_cwe_number(self): + with self.subTest(val="CWE-1234"): + self.assertEqual(1234, decode_cwe_number("CWE-1234")) + with self.subTest(val=""): + self.assertEqual(0, decode_cwe_number("")) + with self.subTest(val="cwe-1"): + self.assertEqual(1, decode_cwe_number("cwe-1")) \ No newline at end of file From 7c645ac53a8d394bef6160781f16527553d7c3ff Mon Sep 17 00:00:00 2001 From: renejal Date: Thu, 16 Nov 2023 15:44:24 -0500 Subject: [PATCH 02/31] new parser Jfrog Xray on Demand Binary Scan --- .../file/jfrog_xray_on_demand_binary_scan.md | 9 + dojo/fixtures/defect_dojo_sample_data.json | 10 + dojo/settings/settings.dist.py | 2 + .../__init__.py | 0 .../parser.py | 224 ++++++++++++++++++ .../many_vulns.json | 111 +++++++++ .../one_vuln.json | 43 ++++ ...jfrog_xray_on_demand_binary_scan_parser.py | 33 +++ 8 files changed, 432 insertions(+) create mode 100644 docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md create mode 100644 dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py create mode 100644 dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json create mode 100644 unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md new file mode 100644 index 00000000000..e1e2c6097dd --- /dev/null +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -0,0 +1,9 @@ +--- +title: "Jfrog xray on demand binary Scan" +toc_hide: true +--- +Import the JSON format for the \"Jfrog xray on demand binary Scan\" file. Use this importer for Xray version 2.X +-- + jfron file documentation + +https://jfrog.com/help/r/jfrog-cli/on-demand-binary-scan \ No newline at end of file diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index 3db55c5d9d2..14ce0dca4fe 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -8620,6 +8620,16 @@ } }, { + "model": "dojo.test_type", + "pk": 149, + "fields": { + "name": "Jfrog Xray On Demand Binary Scan", + "static_tool": false, + "dynamic_tool": false, + "active": true + } + }, + { "model": "dojo.tagulous_product_tags", "pk": 1, "fields": { diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 4f0716a5549..d9b108fbfdf 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1223,6 +1223,7 @@ def saml2_attrib_map_format(dict): 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], 'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'], 'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'], + 'Jfrog Xray On Demand Binary Scan': ["title", "description", "component_name", "component_version"], 'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'], # for now we use file_path as there is no attribute for "service" 'AWS Security Hub Scan': ['unique_id_from_tool'], 'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'], @@ -1415,6 +1416,7 @@ def saml2_attrib_map_format(dict): 'Checkov Scan': DEDUPE_ALGO_HASH_CODE, 'SpotBugs Scan': DEDUPE_ALGO_HASH_CODE, 'JFrog Xray Unified Scan': DEDUPE_ALGO_HASH_CODE, + 'Jfrog Xray On Demand Binary Scan': DEDUPE_ALGO_HASH_CODE, 'Scout Suite Scan': DEDUPE_ALGO_HASH_CODE, 'AWS Security Hub Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'Meterian Scan': DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py new file mode 100644 index 00000000000..8157851d151 --- /dev/null +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -0,0 +1,224 @@ +import json +import re + +from cvss import CVSS3 + +from dojo.models import Finding + + +class JfrogXrayOnDemandBinaryScanParser(object): + """jfrog_xray_scan JSON reports""" + + def get_scan_types(self): + return ["Jfrog Xray On Demand Binary Scan"] + + def get_label_for_scan_types(self, scan_type): + return scan_type + + def get_description_for_scan_types(self, scan_type): + return "Import Xray findings in JSON format." + + def get_findings(self, json_output, test): + tree = json.load(json_output) + return self.get_items(tree, test) + + def get_items(self, tree, test): + items = {} + for data in tree: + if "vulnerabilities" in data: + vulnerability_tree = data["vulnerabilities"] + + for node in vulnerability_tree: + item = get_item(node, test) + + title_cve = "No CVE" + if "cves" in tree: + if "cve" in tree["cves"][0]: + title_cve = tree["cve"] + + unique_key = node.get("issue_id", "") + node.get("summary", "") + title_cve + items[unique_key] = item + + return list(items.values()) + + +def decode_cwe_number(value): + match = re.match(r"CWE-\d+", value, re.IGNORECASE) + if match is None: + return 0 + return int(match[0].rsplit("-")[1]) + + +def get_servery(vulnerability): + if "severity" in vulnerability: + if vulnerability["severity"] == "Unknown": + severity = "Info" + else: + severity = vulnerability["severity"].title() + else: + severity = "Info" + return severity + + +def get_references(vulnerability): + ref = "" + if "references" in vulnerability: + references = vulnerability["references"] + for reference in references: + ref += reference + "\n" + return ref + + +def get_remediation(extended_information): + remediation = "" + if "remediation" in extended_information: + remediation = "\n**Remediation**\n" + remediation += extended_information["remediation"] + "\n" + return remediation + + +def get_severity_justification(vulnerability): + severity_desc = "" + remediation = "" + extended_information = vulnerability.get("extended_information") + if extended_information: + remediation += get_remediation(extended_information) + if "short_description" in extended_information: + severity_desc = "**short description**\n" + severity_desc += extended_information["short_description"] + "\n" + if "full_description" in extended_information: + severity_desc = "**full description**\n" + severity_desc += extended_information["full_description"] + "\n" + if "jfrog_research_severity" in extended_information: + severity_desc = "**jfrog research severity**\n" + severity_desc += extended_information["jfrog_research_severity"] + "\n" + if "jfrog_research_severity_reasons" in extended_information: + severity_desc = "**jfrog research severity reasons**\n" + for item in extended_information["jfrog_research_severity_reasons"]: + severity_desc += item["name"] + "\n" if item.get("name") else "" + severity_desc += item["description"] + "\n" if item.get("description") else "" + return severity_desc, remediation + + +def get_component(vulnerability): + mitigation = "" + gav = "" + impact = "**Impact paths**\n" + if "components" in vulnerability: + components = vulnerability["components"] + gav = next(iter(components)) + component = components[gav] + fixed_versions = component.get("fixed_versions") + if fixed_versions: + mitigation = "**Versions containing a fix:**\n" + mitigation = mitigation + "\n".join(fixed_versions) + if "impact_paths" in component: + impact_paths = component["impact_paths"][0] + for item in impact_paths: + if "component_id" in item: + component_id = item["component_id"] + impact = impact + "\n" + component_id + if "full_path" in item: + full_path = item["full_path"] + impact = impact + "\n" + full_path + return gav, mitigation, impact + + +def get_version_vulnerability(vulnerability): + if "vulnerable_versions" in vulnerability["component_versions"]: + extra_desc = "\n**Versions that are vulnerable:**\n" + extra_desc += "\n".join(vulnerability["component_versions"]["vulnerable_versions"]) + return extra_desc + return "None" + + +def get_provider(vulnerabiity): + if "component_versions" in vulnerabiity: + provider = vulnerabiity.get("component_versions").get("more_details").get("provider") + if provider: + provider += f"\n**Provider:** {provider}" + return provider + return "" + + +def get_etx(vulnerability): + if "EXT" in vulnerability: + return vulnerability["EXT"] + return "" + + +def get_cve(vulnerability): + if "cves" in vulnerability: + cves = vulnerability["cves"] + return cves + return [] + + +def get_item(vulnerability, test): + severity_justification, remediation = get_severity_justification(vulnerability) + severity = get_servery(vulnerability) + references = get_references(vulnerability) + vulnerability_ids = list() + cwe = None + cvssv3 = None + cvss_v3 = "No CVSS v3 score." + extra_desc = "" + # Some entries have no CVE entries, despite they exist. Example CVE-2017-1000502. + cves = get_cve(vulnerability) + if len(cves) > 0: + for item in cves: + if item.get("cve"): + vulnerability_ids.append(item.get("cve")) + # take only the first one for now, limitation of DD model. + if len(cves[0].get("cwe", [])) > 0: + cwe = decode_cwe_number(cves[0].get("cwe", [])[0]) + if "cvss_v3" in cves[0]: + cvss_v3 = cves[0]["cvss_v3"] + # this dedicated package will clean the vector + cvssv3 = CVSS3.from_rh_vector(cvss_v3).clean_vector() + + extra_desc += get_provider(vulnerability) + component_name, mitigation, impact = get_component(vulnerability) + component_version = get_etx(vulnerability) + + # The 'id' field is empty? (at least in my sample file) + if vulnerability_ids: + if vulnerability.get("id"): + title = ( + vulnerability["id"] + + " - " + + str(vulnerability_ids[0]) + + " - " + + component_name + + ":" + + component_version + ) + else: + title = str(vulnerability_ids[0]) + " - " + component_name + ":" + component_version + else: + if vulnerability.get("id"): + title = vulnerability["id"] + " - " + component_name + ":" + component_version + else: + title = "No CVE - " + component_name + ":" + component_version + + # create the finding object + finding = Finding( + title=title, + cwe=cwe, + test=test, + severity_justification=severity_justification, + severity=severity, + description=(vulnerability["summary"] + extra_desc).strip(), + mitigation=mitigation + remediation, + component_name=component_name, + component_version=component_version, + impact=impact, + references=references, + file_path=vulnerability.get("source_comp_id"), + static_finding=True, + dynamic_finding=False, + cvssv3=cvssv3, + ) + if vulnerability_ids: + finding.unsaved_vulnerability_ids = vulnerability_ids + return finding \ No newline at end of file diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json new file mode 100644 index 00000000000..be534784f7f --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json @@ -0,0 +1,111 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2017-8923", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Summary of test", + "severity": "High", + "components": { + "gav://org.yaml:snakeyaml:1.16": { + "fixed_versions": [ + "[1.26]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.com" + }, + { + "component_id": "gav://co.com.test.com", + "full_path": "lib/snakeyaml-1.16.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-92904", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "test_item": { + "fixed_versions": [ + "[1.2.8.RELEASE]", + "[1.3.1.RELEASE]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test.com.co", + "full_path": "lib/test/libtest" + } + ] + ] + } + }, + "issue_id": "XRAY-79870", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json new file mode 100644 index 00000000000..09bd2903a8f --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json @@ -0,0 +1,43 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] \ No newline at end of file diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py new file mode 100644 index 00000000000..d39f51c2c66 --- /dev/null +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -0,0 +1,33 @@ +from ..dojo_test_case import DojoTestCase +from dojo.models import Test, Finding +from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ + JfrogXrayOnDemandBinaryScanParser, decode_cwe_number + + +class TestJfrogXrayOnDemandBinaryScanParser(DojoTestCase): + + def test_parse_file_with_one_vuln(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json") + parser = JfrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(1, len(findings)) + item: Finding = findings[0] + self.assertEqual("gav://test", item.component_name) + self.assertEqual("CVE-2014-0114", item.unsaved_vulnerability_ids[0]) + self.assertEqual("High", item.severity) + + def test_parse_file_with_many_vulns(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json") + parser = JfrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(3, len(findings)) + + def test_decode_cwe_number(self): + with self.subTest(val="CWE-1234"): + self.assertEqual(1234, decode_cwe_number("CWE-1234")) + with self.subTest(val=""): + self.assertEqual(0, decode_cwe_number("")) + with self.subTest(val="cwe-1"): + self.assertEqual(1, decode_cwe_number("cwe-1")) \ No newline at end of file From 0dff403de8b710e195179bca50b90b64bf8b9d42 Mon Sep 17 00:00:00 2001 From: renejal Date: Thu, 16 Nov 2023 19:57:13 -0500 Subject: [PATCH 03/31] delete blank line at end of file --- unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py index 0d714548c79..4959c2481c8 100644 --- a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -31,4 +31,3 @@ def test_decode_cwe_number(self): self.assertEqual(0, decode_cwe_number("")) with self.subTest(val="cwe-1"): self.assertEqual(1, decode_cwe_number("cwe-1")) - From 83aefa5d2c4129ff6e96faa2d9f5e68eefd5d409 Mon Sep 17 00:00:00 2001 From: renejal Date: Fri, 17 Nov 2023 09:16:14 -0500 Subject: [PATCH 04/31] rename function --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 1d09e3ea22b..39406c665e7 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -141,7 +141,7 @@ def get_provider(vulnerabiity): return "" -def get_etx(vulnerability): +def get_ext(vulnerability): if "EXT" in vulnerability: return vulnerability["EXT"] return "" @@ -179,7 +179,7 @@ def get_item(vulnerability, test): extra_desc += get_provider(vulnerability) component_name, mitigation, impact = get_component(vulnerability) - component_version = get_etx(vulnerability) + component_version = get_ext(vulnerability) # The 'id' field is empty? (at least in my sample file) if vulnerability_ids: From 7781ef86b92f6a491441b1d5894e746b77cad696 Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Fri, 17 Nov 2023 18:41:42 +0100 Subject: [PATCH 05/31] More sample reports --- .../many_vulns_docker.json | 129 + .../many_vulns_pypi.json | 9130 +++++++++++++++++ 2 files changed, 9259 insertions(+) create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json new file mode 100644 index 00000000000..4af60fa95db --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json @@ -0,0 +1,129 @@ +[ + { + "scan_id": "2c4c3ae7-d57d-4bf0-5afa-f191b309a2e2", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2023-3446" + } + ], + "summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "severity": "Unknown", + "components": { + "alpine://3.18:libcrypto3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r3]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libcrypto3:3.1.1-r1", + "full_path": "3.18:libcrypto3:3.1.1-r1" + } + ] + ] + }, + "alpine://3.18:libssl3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r3]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libssl3:3.1.1-r1", + "full_path": "3.18:libssl3:3.1.1-r1" + } + ] + ] + } + }, + "issue_id": "XRAY-526273", + "references": [ + "http://www.openwall.com/lists/oss-security/2023/07/19/4", + "http://www.openwall.com/lists/oss-security/2023/07/19/5", + "http://www.openwall.com/lists/oss-security/2023/07/19/6", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23", + "https://www.openssl.org/news/secadv/20230719.txt" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-2975" + } + ], + "summary": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", + "severity": "Unknown", + "components": { + "alpine://3.18:libcrypto3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r2]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libcrypto3:3.1.1-r1", + "full_path": "3.18:libcrypto3:3.1.1-r1" + } + ] + ] + }, + "alpine://3.18:libssl3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r2]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libssl3:3.1.1-r1", + "full_path": "3.18:libssl3:3.1.1-r1" + } + ] + ] + } + }, + "issue_id": "XRAY-523321", + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc", + "https://www.openssl.org/news/secadv/20230714.txt" + ] + } + ], + "component_id": "docker://alpine:latest", + "package_type": "Docker", + "status": "completed" + } +] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json new file mode 100644 index 00000000000..12a51deb52a --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json @@ -0,0 +1,9130 @@ +[ + { + "scan_id": "b89a2883-51d6-4276-6aeb-e16307acddd6", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2023-30608", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.\n", + "severity": "High", + "components": { + "pypi://sqlparse:0.4.3": { + "fixed_versions": [ + "[0.4.4]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + }, + { + "component_id": "pypi://sqlparse:0.4.3" + } + ] + ] + } + }, + "issue_id": "XRAY-515353", + "references": [ + "https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb", + "https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a", + "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2", + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-24580", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", + "severity": "High", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-418183", + "references": [ + "http://www.openwall.com/lists/oss-security/2023/02/14/1", + "https://docs.djangoproject.com/en/4.1/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce", + "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html" + ], + "extended_information": { + "short_description": "A design problem in Django may lead to denial of service when processing multipart forms.", + "full_description": "[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development.\r\n\r\nA vulnerability has been discovered in the Multipart Request Parser in Django. By passing certain inputs (such as an excessive number of parts) to multipart forms, an attacker can trigger too many open files or memory exhaustion, which may lead to a denial-of-service attack. \r\n\r\nThe issue is only exploitable when the `MultiPartParser` class is used by the Django app/", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find a multipart form that receives files in order to trigger this issue, although this does not require intimate per-target research and can be automated.", + "is_positive": true + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "Exploitation only requires sending a large amount of files to a multipart form" + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "The impact of the vulnerability is a remote denial of service that requires no user interaction or per-target specific research" + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "The vulnerability is exploitable via remote multipart form requests that contain a maliciously excessive amount of files." + } + ], + "remediation": "##### Development mitigations\n\nUse AJAX to submit the form data asynchronously and use the FormData API to create a multipart/form-data request. This method allows to handle file uploads without using `MultiPartParser` explicitly. The FormData API also provides a convenient way to append form data to the request, including file uploads.\r\n```\r\n// HTML form\r\n\u003cform id=\"myForm\"\u003e\r\n \u003cinput type=\"text\" name=\"title\"\u003e\r\n \u003cinput type=\"file\" name=\"file\"\u003e\r\n \u003cbutton type=\"submit\"\u003eSubmit\u003c/button\u003e\r\n\u003c/form\u003e\r\n\r\n// JavaScript\r\n\u003cscript\u003e\r\n const form = document.getElementById('myForm');\r\n form.addEventListener('submit', async (event) =\u003e {\r\n event.preventDefault();\r\n\r\n const formData = new FormData(form);\r\n\r\n try {\r\n const response = await fetch('/upload/', {\r\n method: 'POST',\r\n body: formData\r\n });\r\n const result = await response.json();\r\n console.log(result);\r\n } catch (error) {\r\n console.error(error);\r\n }\r\n });\r\n\u003c/script\u003e\r\n\r\n// Django view\r\nfrom django.http import JsonResponse\r\n\r\ndef upload_view(request):\r\n if request.method == 'POST':\r\n title = request.POST.get('title')\r\n file = request.FILES.get('file')\r\n # process the title and file data\r\n return JsonResponse({'success': True})\r\n else:\r\n # return a response for other HTTP methods\r\n```" + } + }, + { + "cves": [ + { + "cve": "CVE-2023-23969", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.", + "severity": "High", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-416423", + "references": [ + "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/", + "https://docs.djangoproject.com/en/4.1/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html" + ], + "extended_information": { + "short_description": "An inefficient regular expression in Django may allow remote attackers to cause denial of service when using the LocaleMiddleware middleware.", + "full_description": "[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development. \r\n\r\nIn Django, it is possible to localize and translate web pages via the `LocaleMiddleware` middleware. When using said middleware, the content of the `Accept-Language` header is parsed via a regex. In order to improve performance, a caching mechanism was implemented which would cache the 1000 most recent parse results of `Accept-Language` headers.\r\n\r\nIn the vulnerable versions of Django, it was discovered that while the regex used for parsing the `Accept-Language` header is not prone to ReDoS on its own (as the regex is mostly straight forward, with little to no nesting), when combined with the caching mechanism, very long input for regex, Django is prone to excessive memory usage. This excessive memory usage results in memory exhaustion which could lead to denial of service.\r\n\r\nThe vulnerability is not exploitable under Django's default configuration since -\r\n\r\n1. The `LocaleMiddleware` is not used by default\r\n\r\n2. The vulnerability is only exploitable if the Django server is deployed via an Apache HTTP Server configured with `LimitRequestFieldSize` set to 64KB. By default, Apache's request field size limit is 8KB. The vulnerability is not exploitable when deploying Django using Nginx with either Gunicorn or uWSGI in any configuration.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "The impact of the vulnerability is a remote denial of service that requires no user interaction or per-target specific research" + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "The vulnerability is exploitable via remote requests that contain a maliciously crafted `Accept-Language` header." + }, + { + "name": "The issue has an exploit published", + "description": "Test code contains a PoC for invalid `Accept-Language` header." + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is very unlikely for attackers to be able to access Django servers that are not deployed using Apache or Nginx. And when Django is deployed using Apache, it is unlikely for the request field size limit to be higher than the default amount.", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2023-31047", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", + "severity": "Critical", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-519232", + "references": [ + "https://www.djangoproject.com/weblog/2023/may/03/security-releases/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/", + "https://docs.djangoproject.com/en/4.2/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce" + ] + } + ], + "component_id": "root", + "package_type": "Generic", + "status": "completed" + }, + { + "scan_id": "5971d1ef-b6ba-4d7d-6ba0-65d595208ee3", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2022-21803", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.", + "severity": "High", + "components": { + "npm://nconf:0.6.9": { + "fixed_versions": [ + "[0.11.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-208869", + "references": [ + "https://github.com/indexzero/nconf/pull/397", + "https://github.com/indexzero/nconf/releases/tag/v0.11.4", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450", + "https://snyk.io/vuln/SNYK-JS-NCONF-2395478" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16776", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N", + "cvss_v3_score": "8.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "High", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92764", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16777", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92763", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://security.gentoo.org/glsa/202003-48", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-7408", + "cvss_v2_score": "4.6", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "7.8", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue.", + "severity": "High", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-73410", + "references": [ + "http://blog.npmjs.org/post/171169301000/v571", + "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0", + "https://github.com/npm/npm/issues/19883" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16775", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92765", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-15095", + "cvss_v2_score": "1.9", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "4.4", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-105289", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + "https://security.gentoo.org/glsa/202101-07", + "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "2.6", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "5.9", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "JavaScript Big Number (jsbn) index.js Multiple Functions Timing Side-channel Information Disclosure", + "severity": "Medium", + "components": { + "npm://jsbn:0.1.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://jsprim:1.4.2" + }, + { + "component_id": "npm://extsprintf:1.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://jsprim:1.4.2" + }, + { + "component_id": "npm://extsprintf:1.3.0" + }, + { + "component_id": "npm://extsprintf:1.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://sshpk:1.17.0" + }, + { + "component_id": "npm://ecc-jsbn:0.1.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://sshpk:1.17.0" + }, + { + "component_id": "npm://ecc-jsbn:0.1.2" + }, + { + "component_id": "npm://jsbn:0.1.1" + } + ] + ] + } + }, + "issue_id": "XRAY-228919", + "references": [ + "https://github.com/andyperlitch/jsbn/issues/43", + "https://twitter.com/SoatokDhole/status/1536765180645974016", + "https://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-28469" + } + ], + "summary": "Regular expression denial of service", + "severity": "Medium", + "components": { + "npm://glob-parent:2.0.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://parse-glob:3.0.4" + }, + { + "component_id": "npm://glob-base:0.3.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ] + ] + }, + "npm://glob-parent:3.1.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://glob-parent:3.1.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N14", + "references": [ + "https://npmjs.com/advisories/1751", + "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-28469", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", + "severity": "High", + "components": { + "npm://glob-parent:2.0.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://parse-glob:3.0.4" + }, + { + "component_id": "npm://glob-base:0.3.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ] + ] + }, + "npm://glob-parent:3.1.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://glob-parent:3.1.0" + } + ] + ] + } + }, + "issue_id": "XRAY-177872", + "references": [ + "https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9", + "https://github.com/gulpjs/glob-parent/pull/36", + "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092", + "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905", + "https://www.oracle.com/security-alerts/cpujan2022.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "0.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:N", + "cvss_v3_score": "0.0", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N" + } + ], + "summary": "Commander.js Package for Node.js index.js parse() Function Argument Parsing Arbitrary Code Execution Weakness", + "severity": "Unknown", + "components": { + "npm://commander:0.6.1": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + }, + { + "component_id": "npm://commander:0.6.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + }, + { + "component_id": "npm://mkdirp:0.3.0" + } + ] + ] + }, + "npm://commander:2.3.0": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://commander:2.3.0" + } + ] + ] + }, + "npm://commander:2.5.1": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ] + ] + } + }, + "issue_id": "XRAY-199126", + "references": [ + "https://advisory.checkmarx.net/advisory/CX-2019-4298", + "https://github.com/tj/commander.js/pull/1056", + "https://github.com/tj/commander.js/commit/2544df81b478a4afe15560f27b3575aa3a1581c4" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-7610", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", + "severity": "Critical", + "components": { + "npm://bson:1.0.9": { + "fixed_versions": [ + "[1.1.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + }, + { + "component_id": "npm://mongodb-core:2.1.20" + }, + { + "component_id": "npm://bson:1.0.9" + } + ] + ] + } + }, + "issue_id": "XRAY-95944", + "references": [ + "https://snyk.io/vuln/SNYK-JS-BSON-561052" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-2391", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N", + "cvss_v3_score": "5.4", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "summary": "Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.", + "severity": "Medium", + "components": { + "npm://bson:1.0.9": { + "fixed_versions": [ + "[1.1.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + }, + { + "component_id": "npm://mongodb-core:2.1.20" + }, + { + "component_id": "npm://bson:1.0.9" + } + ] + ] + } + }, + "issue_id": "XRAY-95979", + "references": [ + "https://github.com/mongodb/js-bson/releases/tag/v1.1.4" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Mocha Package for Node.js lib/utils.js clean() Function Improper Regular Expression DoS", + "severity": "High", + "components": { + "npm://mocha:2.5.3": { + "fixed_versions": [ + "[10.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + } + ] + ] + } + }, + "issue_id": "XRAY-228815", + "references": [ + "https://github.com/mochajs/mocha/pull/4770", + "https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155", + "cvss_v3_score": "6.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "summary": "** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-428016", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16026", + "cvss_v2_score": "7.1", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:N/A:N", + "cvss_v3_score": "5.9", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request \u003e=2.2.6 \u003c2.47.0 || \u003e2.51.0 \u003c=2.67.0.", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72544", + "references": [ + "https://github.com/request/request/issues/1904", + "https://github.com/request/request/pull/2018", + "https://nodesecurity.io/advisories/309" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N133", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N134", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N135", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2015-8858", + "cvss_v2_score": "7.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a \"regular expression denial of service (ReDoS).\"", + "severity": "High", + "components": { + "npm://uglify-js:2.4.24": { + "fixed_versions": [ + "[2.6.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://uglify-js:2.4.24" + } + ] + ] + } + }, + "issue_id": "XRAY-72508", + "references": [ + "http://www.securityfocus.com/bid/96409", + "https://nodesecurity.io/advisories/48", + "http://www.openwall.com/lists/oss-security/2016/04/20/11" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-23358", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "7.2", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", + "severity": "High", + "components": { + "npm://underscore:1.8.3": { + "fixed_versions": [ + "[1.12.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ] + ] + } + }, + "issue_id": "XRAY-159876", + "references": [ + "https://www.tenable.com/security/tns-2021-14", + "https://www.debian.org/security/2021/dsa-4883", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/", + "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", + "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", + "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P" + } + ], + "summary": "utile Package for Node.js lib/base64.js base64.encode() Function Buffer Allocation Handling Memory Consumption DoS", + "severity": "Medium", + "components": { + "npm://utile:0.2.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://prompt:0.2.14" + }, + { + "component_id": "npm://utile:0.2.1" + } + ] + ] + }, + "npm://utile:0.3.0": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + } + ] + ] + } + }, + "issue_id": "XRAY-78627", + "references": [ + "https://hackerone.com/reports/321701", + "https://www.npmjs.com/package/utile" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-3728", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "8.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "severity": "High", + "components": { + "npm://hoek:0.9.1": { + "fixed_versions": [ + "[4.2.1]", + "[5.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://boom:0.4.2" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://sntp:0.2.4" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + }, + { + "component_id": "npm://boom:0.4.2" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ] + ] + }, + "npm://hoek:2.16.3": { + "fixed_versions": [ + "[4.2.1]", + "[5.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://sntp:1.0.9" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://sntp:1.0.9" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ] + ] + } + }, + "issue_id": "XRAY-73062", + "references": [ + "http://www.securityfocus.com/bid/103108", + "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee", + "https://nodesecurity.io/advisories/566", + "https://hackerone.com/reports/310439", + "https://snyk.io/vuln/npm:hoek:20180212", + "https://access.redhat.com/errata/RHSA-2018:1263", + "https://access.redhat.com/errata/RHSA-2018:1264" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-10540", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72610", + "references": [ + "https://nodesecurity.io/advisories/118" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-3517" + } + ], + "summary": "minimatch ReDoS vulnerability", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N91", + "references": [ + "https://github.com/advisories/GHSA-f8q6-p94x-37v3", + "- https://nvd.nist.gov/vuln/detail/CVE-2022-3517\n- https://github.com/grafana/grafana-image-renderer/issues/329\n- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6\n- https://github.com/nodejs/node/issues/42510\n- https://github.com/advisories/GHSA-f8q6-p94x-37v3" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-3517", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-257996", + "references": [ + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20162", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.", + "severity": "Medium", + "components": { + "npm://ms:0.7.1": { + "fixed_versions": [ + "[2.0.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ] + ] + } + }, + "issue_id": "XRAY-413139", + "references": [ + "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", + "https://github.com/vercel/ms/pull/89", + "https://github.com/vercel/ms/releases/tag/2.0.0", + "https://vuldb.com/?ctiid.217451", + "https://vuldb.com/?id.217451" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "summary": "Platform.js HTTP User-Agent Header Parsing Regular Expression Handling Remote DoS", + "severity": "Medium", + "components": { + "npm://platform:1.3.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://helmet-csp:1.2.2" + }, + { + "component_id": "npm://lodash.reduce:4.5.0" + } + ] + ] + } + }, + "issue_id": "XRAY-78635", + "references": [ + "https://github.com/bestiejs/platform.js", + "https://github.com/bestiejs/platform.js/issues/139" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-10064", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72519", + "references": [ + "https://nodesecurity.io/advisories/28" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-7191", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "summary": "The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.", + "severity": "Medium", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73097", + "references": [ + "http://www-01.ibm.com/support/docview.wss?uid=swg21685987", + "http://www-01.ibm.com/support/docview.wss?uid=swg21687263", + "http://www-01.ibm.com/support/docview.wss?uid=swg21687928", + "https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8", + "https://github.com/visionmedia/node-querystring/issues/104", + "https://nodesecurity.io/advisories/qs_dos_memory_exhaustion", + "https://access.redhat.com/errata/RHSA-2016:1380", + "http://secunia.com/advisories/60026", + "http://secunia.com/advisories/62170", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/96729" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-1000048", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://qs:5.2.1": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://qs:5.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-94949", + "references": [ + "https://github.com/ljharb/qs/issues/200", + "https://access.redhat.com/errata/RHSA-2017:2672" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-24999", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://qs:5.2.1": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://qs:5.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-262099", + "references": [ + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999" + ], + "extended_information": { + "short_description": "Insufficient input validation in qs leads to prototype pollution when parsing attacker-controlled query strings.", + "full_description": "[qs](https://npmjs.org/package/qs) is an npm library that provides query string parsing to objects and stringifying.\r\n\r\n[Express.js](https://www.npmjs.com/package/express) is a trending web framework for Node.js and uses `qs` as one of its dependencies.\r\n\r\nIt was discovered that the `parseObject` function in `qs` did not guard against prototype pollution when parsing query strings, by allowing the use of `__proto__` keys instead of ignoring them. Therefore, any calls with untrusted user input would cause the injection of arbitrary values into the Object prototype and could lead to denial-of-service.\r\n\r\nBy default, the `qs` library doesn't allow prototypes when parsing, so only non-default parsing configurations are affected. An example: `qs.parse(payload, { allowPrototypes: true });`\r\n\r\nThe issue also affects `Express.js` web framework, which uses the `qs` package to parse user-supplied query strings (from `HTTP GET` requests). That is due to `Express.js` parsing the queries with the `qs` `allowPrototypes=true` option enabled by default.\r\nThe vulnerable function is called when processing a request and does not have to be invoked by the developer directly.\r\n\r\nWhen treating the resulting query object that is inside `req.query` as a string or as an array, it causes Node.js to hang. An example would be code that processes a string addition: `const newVar = req.query.testString + \"0\";`\r\nAnother example would be code that searches an element in an array: `req.query.testArray.indexOf(\"123\")`\r\n\r\nThe vulnerability doesn't affect the use of `qs` with default configuration (without the enabling of `allowPrototypes`).\r\n\r\nExample malicious query string payload -\r\n```\r\na[__proto__]\u0026a[__proto__]\u0026a[length]=100000000\r\n```", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "`express` is a Node.js web framework and is very likely to parse user-supplied query strings." + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "Prototype pollution is well documented and the vulnerability is very trivial to exploit." + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "In `qs`, only applicable to `qs.parse` calls that have the `allowPrototypes=true` option, which is not enabled by default.\r\nIn `express`, the vulnerability is exploitable by default, but mostly for denial-of-service impact", + "is_positive": true + }, + { + "name": "The issue has a detailed technical explanation published, that can aid in exploit development", + "description": "Multiple public Proof-of-Concepts demonstrating exploitation of this issue are available, including a detailed writeup." + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n##### Development mitigations\n\nIn `qs`, don't use the `{ allowPrototypes: true}` parsing option.\r\nIn `express`, add the following line to switch from using the vulnerable `qs` to `query-string` npm library:\r\n```\r\napp.set('query parser', 'simple');\r\n```" + } + }, + { + "cves": [ + { + "cvss_v2_score": "7.1", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "mongodb Package for Node.js (node-mongodb-native) lib/operations/db_ops.js createCollection() Function Collection Name Validation Improper Exception Handling DoS", + "severity": "High", + "components": { + "npm://mongodb:2.2.36": { + "fixed_versions": [ + "[3.1.13]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + } + ] + ] + } + }, + "issue_id": "XRAY-90643", + "references": [ + "https://www.npmjs.com/advisories/1203", + "https://jira.mongodb.org/browse/NODE-1839", + "https://github.com/mongodb/node-mongodb-native/commit/210c71dccd8d8fdeadd9b4d1571e5fdb93e0f02f" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-0842", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "summary": "xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.", + "severity": "Medium", + "components": { + "npm://xml2js:0.4.4": { + "fixed_versions": [ + "[0.5.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://selenium-webdriver:2.53.3" + }, + { + "component_id": "npm://xml2js:0.4.4" + } + ] + ] + } + }, + "issue_id": "XRAY-513455", + "references": [ + "https://fluidattacks.com/advisories/myers/", + "https://github.com/Leonidas-from-XIV/node-xml2js/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-29167", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.", + "severity": "High", + "components": { + "npm://hawk:1.0.0": { + "fixed_versions": [ + "[3.1.3]", + "[4.1.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://hawk:3.1.3": { + "fixed_versions": [ + "[9.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-209780", + "references": [ + "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", + "https://github.com/mozilla/hawk/pull/286" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-1000232", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", + "severity": "Medium", + "components": { + "npm://tough-cookie:2.2.2": { + "fixed_versions": [ + "[2.3.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tough-cookie:2.2.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-73084", + "references": [ + "https://access.redhat.com/security/cve/cve-2016-1000232", + "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", + "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", + "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", + "https://www.npmjs.com/advisories/130", + "https://access.redhat.com/errata/RHSA-2016:2101", + "https://access.redhat.com/errata/RHSA-2017:2912" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-15010", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.", + "severity": "High", + "components": { + "npm://tough-cookie:2.2.2": { + "fixed_versions": [ + "[2.3.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tough-cookie:2.2.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72482", + "references": [ + "http://www.securityfocus.com/bid/101185", + "https://github.com/salesforce/tough-cookie/issues/92", + "https://nodesecurity.io/advisories/525", + "https://snyk.io/vuln/npm:tough-cookie:20170905", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", + "https://access.redhat.com/errata/RHSA-2017:2912", + "https://access.redhat.com/errata/RHSA-2017:2913", + "https://access.redhat.com/errata/RHSA-2018:1263", + "https://access.redhat.com/errata/RHSA-2018:1264" + ] + }, + { + "summary": "Memory Exposure in tunnel-agent", + "severity": "Medium", + "components": { + "npm://tunnel-agent:0.4.3": { + "fixed_versions": [ + "[0.6.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tunnel-agent:0.4.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N78", + "references": [ + "https://github.com/advisories/GHSA-xc7v-wxcw-j472", + "- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472" + ] + }, + { + "summary": "Withdrawn: ESLint dependencies are vulnerable (ReDoS and Prototype Pollution)", + "severity": "Medium", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-N39", + "references": [ + "https://github.com/advisories/GHSA-7fhm-mqm4-2wp7", + "- https://github.com/advisories/GHSA-6chw-6frg-f759\n- https://github.com/advisories/GHSA-7fhm-mqm4-2wp7" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "10.0", + "cvss_v2_vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "minimist Package for Node.js --__proto__.y=Polluted Argument Handling Prototype Pollution Remote Property Manipulation", + "severity": "Critical", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-95632", + "references": [ + "https://bdu.fstec.ru/vul/2020-01147", + "https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + "https://www.npmjs.com/advisories/1179", + "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-44906", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "severity": "Critical", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-200203", + "references": [ + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" + ], + "extended_information": { + "short_description": "Insufficient input validation in Minimist npm package leads to prototype pollution of constructor functions which allows remote attacker with unspecified impact.", + "full_description": "[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\r\n\r\n\r\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\r\n```\r\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\r\nt.equal((function(){}).foo, undefined);\r\nt.equal(argv.y, undefined);\r\n```\r\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \r\n\r\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must be able to control a command-line parameter that is passed to a Node.js program that uses Minimist to parse the arguments", + "is_positive": true + }, + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrated exploitation of this attack, with an unspecified impact" + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2020-7598", + "cvss_v2_score": "6.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "5.6", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "summary": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", + "severity": "Medium", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-95385", + "references": [ + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" + ], + "extended_information": { + "short_description": "Missing sanitization in minimist can lead to prototype pollution when parsing command line arguments.", + "full_description": "Node-js based applications (command line tools) that use the [minimist]() package to parse command line arguments can be vulnerable to prototype pollution if an attacker can fully control the arguments provided to the command line tools. The security impact depends on the specific application, since this is a prototype pollution issue, and can range from no impact at all, to authentication bypass, DoS or even RCE.\r\n\r\nAs an demonstration of an application vulnerable to authentication bypass, the following application reads a configuration file and makes a decision based on it. However, it also uses `minimist` and is thus vulnerable to this vulnerability -\r\n\r\n```js\r\nconst minimist = require('minimist');\r\nconst fs = require('fs');\r\n\r\nconst argv = minimist(process.argv.slice(2));\r\n\r\nlet confdata = fs.readFileSync('conf.json');\r\nlet conf = JSON.parse(confdata);\r\n\r\nif (conf.role == 'admin') {\r\n // grant access\r\n} else {\r\n // deny access\r\n}\r\n```\r\n\r\nThis assumes the attacker is able to execute the vulnerable application and control the command line arguments (this usually would only be possible if the attacker has local privileges and shell access that will allow the execution of the application with arbitrary command line arguments). \r\n\r\nIn the example, the attacker would want to modify the value of the `role` property to `admin`, which can be achieved by executing the vulnerable application in this way -\r\n\r\n```bash\r\n./vulnerable_node_app --__proto__.role admin\r\n```\r\n\r\nThe vulnerable application is using the `role` property to decide whether to allow or deny application-specific actions. However, exploitation would require specific tailoring to the vulnerable application, as other applications might not have a similar property. The specific exploitation method would need to be researched by the attacker, which would also require the attacker having some access to the vulnerable application code).\r\n\r\nWhile an exploit was [published](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a), it is not generic and would need to be modified to the specific application under attack. Moreover, from the attacker perspective the crux of being able to even use this exploit is being able to control the command line arguments in the first place.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is highly uncommon for applications to receive arguments directly from network input or unprivileged local users", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "Attacker vector, AV, was set to network even though this vulnerability cannot be necessarily triggered from the network, only in very specific environments that take network input and provide it as an argument to applications that use minimist", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cvss_v2_score": "9.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "unset-value Package for Node.js index.js unset() Function Prototype Pollution Arbitrary Code Execution", + "severity": "Critical", + "components": { + "npm://unset-value:1.0.0": { + "fixed_versions": [ + "[2.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://unset-value:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ] + ] + } + }, + "issue_id": "XRAY-198324", + "references": [ + "https://github.com/jonschlinkert/unset-value/issues/11", + "https://github.com/jonschlinkert/unset-value/pull/12", + "https://github.com/jonschlinkert/unset-value/commit/56fe0f2374c73f281a5b44909dcec3a4f9d6f9f4" + ], + "extended_information": { + "short_description": "Insufficient input validation in unset-value unset() leads to prototype pollution", + "full_description": "[unset-value](https://www.npmjs.com/package/unset-value) is small JavaScript utility package that provides an API to delete nested properties from an object using dot notation\n\nThe function `unset` was found to be vulnerable to prototype pollution, when accepting arbitrary properties from untrusted input\n\nExample of code vulnerable to this issue - \n```js\nconst unset = require('unset-value'); \nconst evilprop = '__proto__.toString';\nunset({}, evilprop);\n```\n\nSince this prototype pollution only allows to remove properties from the prototype (and not set them to arbitrary values), the pollution leads to denial of service only and won't lead to remote code execution in feasible scenarios.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "Context-dependent exploitation", + "description": "An attacker must find remote input that propagates into the `unset` method (2nd arg)", + "is_positive": true + }, + { + "name": "Context-dependent impact", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\nIn this specific case, properties can only be deleted from the prototype. Therefore, the only feasible impact is a denial of service attack.", + "is_positive": true + }, + { + "name": "Has published exploit", + "description": "The package's test code contains a PoC that triggers the vulnerability " + } + ], + "remediation": "##### Development mitigation\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "summary": "Remote Memory Exposure", + "severity": "High", + "components": { + "npm://bl:1.0.3": { + "fixed_versions": [ + "[1.2.3]", + "[2.2.1]", + "[3.0.1]", + "[4.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://bl:1.0.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N17", + "references": [ + "https://npmjs.com/advisories/1555", + "- https://github.com/advisories/GHSA-pp7h-53gx-mx7r\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8244\n- https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e\n- https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190\n- https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466\n- https://hackerone.com/reports/966347" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-8244", + "cvss_v2_score": "6.4", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" + } + ], + "summary": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "severity": "Medium", + "components": { + "npm://bl:1.0.3": { + "fixed_versions": [ + "[1.2.3]", + "[2.2.1]", + "[3.0.1]", + "[4.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://bl:1.0.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-122434", + "references": [ + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1109", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "severity": "Medium", + "components": { + "npm://braces:1.8.5": { + "fixed_versions": [ + "[2.3.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://array-unique:0.2.1" + } + ] + ] + } + }, + "issue_id": "XRAY-160030", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1547272", + "https://snyk.io/vuln/npm:braces:20180219" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1000620" + } + ], + "summary": "Insufficient Entropy", + "severity": "High", + "components": { + "npm://cryptiles:0.2.2": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + } + ] + ] + }, + "npm://cryptiles:2.0.5": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ] + ] + } + }, + "issue_id": "XRAY-N10", + "references": [ + "https://npmjs.com/advisories/1464", + "- [GitHub PR](https://github.com/hapijs/cryptiles/issues/34)" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1000620", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.", + "severity": "Critical", + "components": { + "npm://cryptiles:0.2.2": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + } + ] + ] + }, + "npm://cryptiles:2.0.5": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ] + ] + } + }, + "issue_id": "XRAY-84448", + "references": [ + "https://github.com/hapijs/cryptiles/issues/34" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165" + } + ], + "summary": "debug Inefficient Regular Expression Complexity vulnerability", + "severity": "Low", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + }, + "npm://debug:2.6.9": { + "fixed_versions": [ + "[3.1.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express-session:1.17.3" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express:4.18.2" + }, + { + "component_id": "npm://body-parser:1.20.1" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://body-parser:1.20.2" + }, + { + "component_id": "npm://debug:2.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N115", + "references": [ + "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", + "- https://nvd.nist.gov/vuln/detail/CVE-2017-20165\n- https://github.com/debug-js/debug/pull/504\n- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\n- https://github.com/debug-js/debug/releases/tag/3.1.0\n- https://vuldb.com/?ctiid.217665\n- https://vuldb.com/?id.217665\n- https://github.com/advisories/GHSA-9vvw-cc9w-f27h" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165" + } + ], + "summary": "debug Inefficient Regular Expression Complexity vulnerability", + "severity": "Low", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + }, + "npm://debug:2.6.9": { + "fixed_versions": [ + "[3.1.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express-session:1.17.3" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express:4.18.2" + }, + { + "component_id": "npm://body-parser:1.20.1" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://body-parser:1.20.2" + }, + { + "component_id": "npm://debug:2.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N116", + "references": [ + "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", + "- https://nvd.nist.gov/vuln/detail/CVE-2017-20165\n- https://github.com/debug-js/debug/pull/504\n- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\n- https://github.com/debug-js/debug/releases/tag/3.1.0\n- https://vuldb.com/?ctiid.217665\n- https://vuldb.com/?id.217665\n- https://github.com/advisories/GHSA-9vvw-cc9w-f27h" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-41720" + } + ], + "summary": "Arbitrary code execution in lodash", + "severity": "Critical", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + }, + "npm://lodash:4.17.21": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-watch:1.1.0" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-watch:1.1.0" + }, + { + "component_id": "npm://gaze:1.1.3" + }, + { + "component_id": "npm://globule:1.3.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-jsbeautifier:0.2.13" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N51", + "references": [ + "https://github.com/advisories/GHSA-8p5q-j9m2-g8wr", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://nvd.nist.gov/vuln/detail/CVE-2021-41720\n- https://github.com/advisories/GHSA-8p5q-j9m2-g8wr" + ] + }, + { + "summary": "Regular Expression Denial of Service", + "severity": "High", + "components": { + "npm://diff:1.4.0": { + "fixed_versions": [ + "[3.5.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://diff:1.4.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N21", + "references": [ + "https://npmjs.com/advisories/1631", + "- [WhiteSource Advisory](https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590)\n- [Snyk Advisory](https://snyk.io/vuln/npm:diff:20180305)\n- [GitHub Advisory](https://github.com/advisories/GHSA-h6ch-v84p-w6p9)" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16115", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.", + "severity": "High", + "components": { + "npm://timespan:2.3.0": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://timespan:2.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73065", + "references": [ + "https://github.com/indexzero/TimeSpan.js/issues/10", + "https://nodesecurity.io/advisories/533" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "6.1", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "summary": "helmet-csp Package for Node.js lib/transform-directives-for-browser.ts transformDirectivesForBrowser() Function Default Directive Handling Content Security Policy Bypass", + "severity": "Medium", + "components": { + "npm://helmet-csp:1.2.2": { + "fixed_versions": [ + "[2.9.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://helmet-csp:1.2.2" + } + ] + ] + } + }, + "issue_id": "XRAY-89144", + "references": [ + "https://www.npmjs.com/advisories/1176", + "https://www.npmjs.com/package/helmet-csp", + "https://github.com/helmetjs/csp/commit/67a69baafa8198a154f0505a0cf0875f76f6186a", + "https://github.com/helmetjs/csp/blob/v2.9.2/CHANGELOG.md" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16137", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "severity": "Medium", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72687", + "references": [ + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://nodesecurity.io/advisories/534", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.", + "severity": "High", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + } + }, + "issue_id": "XRAY-413253", + "references": [ + "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685", + "https://github.com/debug-js/debug/pull/504", + "https://github.com/debug-js/debug/releases/tag/3.1.0", + "https://vuldb.com/?ctiid.217665", + "https://vuldb.com/?id.217665" + ], + "extended_information": { + "short_description": "Unbounded resource consumption in debug-js package could lead to denial of service when an attacker-controlled object is pretty-printed.", + "full_description": "[debug-js](https://npmjs.com/package/debug) is a tiny JavaScript debugging utility modeled after Node.js core's debugging technique. `debug-js` targets both Node.js and web browsers, and uses printf-style formatting.\r\n\r\nCode that uses debug-js is prone to denial of service when trying to pretty-print an attacker-controlled object, for example - `debug('Object: %o', obj);`\r\n\r\nIt was discovered that the `o` formatter, used to pretty-print an `Object` in a single line, had an unbounded memory footprint, which may lead to denial-of-service.\r\n\r\nTo pretty-print an object, the `o` formatter joins all the formatted object text to a single line and sends it to the built-in Node.js function `util.inspect()`. After that, it trims any whitespace. The issue was using an inefficient regular expression for this trimming operation.\r\n\r\nThe issue only occurs when the formatted JS object has a malicious `toStringTag`.\r\n\r\nThe issue has been resolved in versions 3.0.0 and 2.6.9, but was re-introduced by regression refactor from version 3.2.0.", + "jfrog_research_severity": "Low", + "jfrog_research_severity_reasons": [ + { + "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", + "description": "Although Regular Expression Denial-of-Service is thoroughly researched, exploiting this particular issue is quite complex and no PoC was published.", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability properly.", + "is_positive": true + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "To exploit this issue:\r\n1. The attacker must find a way to pass input to 'debug-js' logger.\r\n2. The log message must have a specific vulnerable formatter `%o`\r\n3. The attacker input must propagate into a JS Object that has a `toStringTag`, as normal objects with a simple key and value aren't vulnerable.", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2020-28500", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-140562", + "references": [ + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/pull/5065", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "extended_information": { + "short_description": "ReDoS in lodash could lead to a denial of service when handling untrusted strings.", + "full_description": "JavaScript-based applications that use [lodash](https://github.com/lodash/lodash) and specifically the [_.toNumber](https://lodash.com/docs/4.17.15#toNumber), [_.trim](https://lodash.com/docs/4.17.15#trim) and [_.trimEnd](https://lodash.com/docs/4.17.15#trimEnd) functions, could be vulnerable to DoS (Denial of Service) through a faulty regular expression that introduces a ReDoS (Regular Expression DoS) vulnerability. This vulnerability is only triggered if untrusted user input flows into these vulnerable functions and the attacker can supply arbitrary long strings (over 50kB) that contain whitespaces. \r\n\r\nOn a modern Core i7-based system, calling the vulnerable functions with a 50kB string could take between 2 to 3 seconds to execute and 4.5 minutes for a longer 500kB string. The fix improved the regular expression performance so it took only a few milliseconds on the same Core i7-based system. This vulnerability is easily exploitable as all is required is to build a string that triggers it as can be seen in this PoC reproducing code - \r\n\r\n```js\r\nvar untrusted_user_input_50k = \"a\" + ' '.repeat(50000) + \"z\"; // assume this is provided over the network\r\nlo.trimEnd(untrusted_user_input_50k); // should take a few seconds to run\r\nvar untrusted_user_input_500k = \"a\" + ' '.repeat(500000) + \"z\"; // assume this is provided over the network\r\nlo.trimEnd(untrusted_user_input_500k); // should take a few minutes to run\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue has an exploit published", + "description": "Public exploit demonstrated ReDoS" + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "Exploitation depends on parsing user input by the `.toNumber`, `.trim` or `.trimEnd` `lodash` functions, and requires the input to contain whitespaces and be very long (over 50KB)", + "is_positive": true + } + ], + "remediation": "##### Deployment mitigations\n\nTrim untrusted strings based on size before providing it to the vulnerable functions by using the `substring` function to with a fixed maximum size like so - ```js untrusted_user_input.substring(0, max_string_size_less_than_50kB); ```" + } + }, + { + "cves": [ + { + "cve": "CVE-2018-3721", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72918", + "references": [ + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-1010266", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-85049", + "references": [ + "https://github.com/lodash/lodash/wiki/Changelog", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/lodash/lodash/issues/3359", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-10744", + "cvss_v2_score": "6.4", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:P", + "cvss_v3_score": "9.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "summary": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "severity": "Critical", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-85679", + "references": [ + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://access.redhat.com/errata/RHSA-2019:3024" + ], + "extended_information": { + "short_description": "Insufficient input validation in lodash defaultsDeep() leads to prototype pollution.", + "full_description": "[lodash](https://www.npmjs.com/package/lodash) is a modern JavaScript utility library delivering modularity, performance, \u0026 extras.\r\n\r\nThe function `defaultsDeep` was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input\r\n\r\nExample of code vulnerable to this issue - \r\n```js\r\nconst lodash = require('lodash'); \r\nconst evilsrc = {constructor: {prototype: {evilkey: \"evilvalue\"}}};\r\nlodash.defaultsDeep({}, evilsrc)\r\n```", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrates exploitation of this issue" + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find remote input that propagates into the `defaultsDeep` method (2nd arg)", + "is_positive": true + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2018-16487", + "cvss_v2_score": "6.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "5.6", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "summary": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-75300", + "references": [ + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://hackerone.com/reports/380873" + ], + "extended_information": { + "short_description": "Insufficient input validation in the Lodash library leads to prototype pollution.", + "full_description": "The [Lodash](https://lodash.com/) library is an open-source JavaScript project that simplifies operations on string, arrays, numbers, and other objects. It is widely used in connected devices. \r\n\r\nThe `merge`, `mergeWith`, and `defaultsDeep` methods in Lodash are vulnerable to [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/). Attackers can exploit this vulnerability by specifying a crafted `sources` parameter to any of these methods, which can modify the prototype properties of the `Object`, `Function`, `Array`, `String`, `Number`, and `Boolean` objects. A public [exploit](https://hackerone.com/reports/380873) exists which performs the prototype pollution with an arbitrary key and value.\r\n\r\nThe library implementation has a bug in the `safeGet()` function in the `lodash.js` module that allows for adding or modifying `prototype` properties of various objects. The official [solution](https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad) fixes the bug by explicitly forbidding the addition or modification of `prototype` properties.\r\n\r\nA related CVE (CVE-2018-3721) covers the same issue prior to Lodash version 4.17.5, but the fix for that was incomplete.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find remote input that propagates into one of the following methods - \r\n* `merge` - 2nd argument\r\n* `mergeWith` - 2nd argument\r\n* `defaultsDeep` - 2nd argument", + "is_positive": true + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrated exploitation by injecting an attacker controlled key and value into the prototype" + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2020-8203", + "cvss_v2_score": "5.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P", + "cvss_v3_score": "7.4", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "summary": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "severity": "High", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-114089", + "references": [ + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://github.com/lodash/lodash/issues/4874", + "https://hackerone.com/reports/712065", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html" + ], + "extended_information": { + "short_description": "Prototype pollution in lodash object merging and zipping functions leads to code injection.", + "full_description": "[lodash](https://lodash.com/) is a JavaScript library which provides utility functions for common programming tasks.\r\n\r\nJavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions `mergeWith`, `merge` and `zipObjectDeep` are vulnerable to [prototype pollution](https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c) if one or more of the objects it receives as arguments are obtained from user input. \r\nAn attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as [Object.prototype](https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes) from which all JavaScript objects inherit properties and methods. Any change on `Object.prototype` properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in [some cases](https://youtu.be/LUsiFV3dsK8?t=1152). \r\nAs an example for privilege escalation, consider a JavaScript application that has a `user` object which has a Boolean property of `user.isAdmin` which is used to decide which actions the user may take. If an attacker can modify or add the `isAdmin` property through prototype pollution, it can escalate the privileges of its own user to those of an admin. \r\nAs exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.", + "jfrog_research_severity": "Critical", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network" + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC" + } + ], + "remediation": "##### Deployment mitigations\n\nAs general guidelines against prototype pollution, first consider not merging objects originating from user input or using a Map structure instead of an object. If merging objects is needed, look into creating objects without a prototype with `Object.create(null)` or into freezing `Object.prototype` with `Object.freeze()`. Finally, it is always best to perform input validation with a a [JSON schema validator](https://github.com/ajv-validator/ajv), which could mitigate this issue entirely in many cases." + } + }, + { + "cves": [ + { + "cve": "CVE-2021-23337", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "7.2", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "severity": "High", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-140575", + "references": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "extended_information": { + "short_description": "Improper sanitization in the lodash template function leads to JavaScript code injection through the options argument.", + "full_description": "JavaScript-based applications (both frontend and backend) that use the [template function](https://lodash.com/docs/4.17.15#template) -`_.template([string=''], [options={}])` from the [lodash](https://lodash.com/) utility library and provide the `options` argument (specifically the `variable` option) from untrusted user input, are vulnerable to JavaScript code injection. This issue can be easily exploited, and an exploitation example is [publicly available](https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c#diff-a561630bb56b82342bc66697aee2ad96efddcbc9d150665abd6fb7ecb7c0ab2fR22303) in the fix tests that was introduced in version 4.17.21 - \r\n```js\r\nlodash.template('', { variable: '){console.log(process.env)}; with(obj' })()\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is highly unlikely that a JS program will accept arbitrary remote input into the template's `options` argument", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The attacker must find remote input that propagates into the `options` argument of a `template` call", + "is_positive": true + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "Leads to remote code execution through JS code injection" + }, + { + "name": "The issue has an exploit published", + "description": "Published exploit demonstrates arbitrary JS code execution" + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2022-33987", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "summary": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "severity": "Medium", + "components": { + "npm://got:6.7.1": { + "fixed_versions": [ + "[11.8.5]", + "[12.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://latest-version:3.1.0" + }, + { + "component_id": "npm://package-json:4.0.1" + }, + { + "component_id": "npm://got:6.7.1" + } + ] + ] + } + }, + "issue_id": "XRAY-229041", + "references": [ + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16042", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "severity": "Critical", + "components": { + "npm://growl:1.9.2": { + "fixed_versions": [ + "[1.10.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://growl:1.9.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72713", + "references": [ + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://nodesecurity.io/advisories/146" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-33623", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", + "severity": "High", + "components": { + "npm://trim-newlines:1.0.0": { + "fixed_versions": [ + "[3.0.1]", + "[4.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-concurrent:2.3.1" + }, + { + "component_id": "npm://pad-stream:1.2.0" + }, + { + "component_id": "npm://meow:3.7.0" + }, + { + "component_id": "npm://trim-newlines:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-176887", + "references": [ + "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + "https://security.netapp.com/advisory/ntap-20210702-0007/", + "https://www.npmjs.com/package/trim-newlines", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-25345", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.", + "severity": "High", + "components": { + "npm://swig:1.4.2": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-427909", + "references": [ + "https://github.com/node-swig/swig-templates/issues/88" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21681" + } + ], + "summary": "Inefficient Regular Expression Complexity in marked", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N57", + "references": [ + "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", + "- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "marked Package for Node.js lib/marked.js heading Regular Expression Handling CPU Consumption DoS", + "severity": "Medium", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-84782", + "references": [ + "https://github.com/markedjs/marked/commit/09afabf69c6d0c919c03443f47bdfe476566105d", + "https://github.com/markedjs/marked/pull/1224" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21680", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-194626", + "references": [ + "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", + "https://github.com/markedjs/marked/releases/tag/v4.0.10" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21680" + } + ], + "summary": "Inefficient Regular Expression Complexity in marked", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N58", + "references": [ + "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", + "- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21681", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-194711", + "references": [ + "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.1", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C" + } + ], + "summary": "marked lib/marked.js inline() Function Regular Expresssion Handling DoS", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-78213", + "references": [ + "https://github.com/markedjs/marked/issues/1058", + "https://github.com/markedjs/marked/files/1735164/example.txt", + "https://github.com/Feder1co5oave/marktex/commit/d30c6cef0ae7645390bccb00a01a428693073b60", + "https://github.com/markedjs/marked/pull/1083", + "https://github.com/markedjs/marked/issues/1070", + "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485", + "https://github.com/markedjs/marked/releases/tag/v0.3.17", + "https://snyk.io/vuln/npm:marked:20180225" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-23440" + } + ], + "summary": "Prototype Pollution in set-value", + "severity": "High", + "components": { + "npm://set-value:2.0.1": { + "fixed_versions": [ + "[4.0.1,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://union-value:1.0.1" + }, + { + "component_id": "npm://get-value:2.0.6" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://set-value:2.0.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N36", + "references": [ + "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-23440\n- https://github.com/advisories/GHSA-4jqc-8m5r-9rpr" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-2515", + "cvss_v2_score": "7.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.", + "severity": "High", + "components": { + "npm://hawk:1.0.0": { + "fixed_versions": [ + "[3.1.3]", + "[4.1.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73076", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1309721", + "https://github.com/hueniverse/hawk/commit/0833f99ba64558525995a7e21d4093da1f3e15fa", + "https://github.com/hueniverse/hawk/issues/168", + "https://nodesecurity.io/advisories/77", + "http://www.openwall.com/lists/oss-security/2016/02/20/1", + "http://www.openwall.com/lists/oss-security/2016/02/20/2" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16138", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The mime module \u003c 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", + "severity": "High", + "components": { + "npm://mime:1.2.11": { + "fixed_versions": [ + "[1.4.1]", + "[2.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://form-data:0.1.4" + }, + { + "component_id": "npm://mime:1.2.11" + } + ] + ] + } + }, + "issue_id": "XRAY-72686", + "references": [ + "https://github.com/broofa/node-mime/issues/167", + "https://nodesecurity.io/advisories/535" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-3807" + } + ], + "summary": " Inefficient Regular Expression Complexity in chalk/ansi-regex", + "severity": "Medium", + "components": { + "npm://ansi-regex:3.0.1": { + "fixed_versions": [ + "[5.0.1,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://ansi-align:2.0.0" + }, + { + "component_id": "npm://string-width:2.1.1" + }, + { + "component_id": "npm://strip-ansi:4.0.0" + }, + { + "component_id": "npm://ansi-regex:3.0.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://cli-boxes:1.0.0" + }, + { + "component_id": "npm://execa:0.7.0" + }, + { + "component_id": "npm://get-stream:3.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://widest-line:2.0.1" + }, + { + "component_id": "npm://string-width:2.1.1" + }, + { + "component_id": "npm://strip-ansi:4.0.0" + }, + { + "component_id": "npm://ansi-regex:3.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N33", + "references": [ + "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1002204", + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "5.5", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "summary": "adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.", + "severity": "Medium", + "components": { + "npm://adm-zip:0.4.4": { + "fixed_versions": [ + "[0.4.11]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://selenium-webdriver:2.53.3" + }, + { + "component_id": "npm://adm-zip:0.4.4" + } + ] + ] + } + }, + "issue_id": "XRAY-73112", + "references": [ + "http://www.securityfocus.com/bid/107001", + "https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25", + "https://github.com/cthackers/adm-zip/pull/212", + "https://github.com/snyk/zip-slip-vulnerability", + "https://snyk.io/research/zip-slip-vulnerability", + "https://snyk.io/vuln/npm:adm-zip:20180415" + ] + }, + { + "summary": "Improper Privilege Management in shelljs", + "severity": "Medium", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N59", + "references": [ + "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", + "- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj" + ] + }, + { + "summary": "Improper Privilege Management in shelljs", + "severity": "Medium", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N60", + "references": [ + "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", + "- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-0144", + "cvss_v2_score": "3.6", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:P", + "cvss_v3_score": "7.1", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" + } + ], + "summary": "shelljs is vulnerable to Improper Privilege Management", + "severity": "High", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-194227", + "references": [ + "https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c", + "https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c" + ], + "extended_information": { + "short_description": "Permissive file permissions in shelljs may lead to sensitive data leakage by local attackers.", + "full_description": "[ShellJS](https://www.npmjs.com/package/shelljs) is a portable (Windows/Linux/OS X) implementation of Unix shell commands on top of the Node.js API.\r\n\r\nArbitrary shell commands can be run with ShellJS's `shell.exec` API.\r\nShellJS creates temporary files for the executed command's outputs (stdout and stderr).\r\nSince the permissions for the generated stdout and stderr files is **world-readable**, local attackers may be able to read the outputs of commands run by other users, and leak sensitive data.\r\n\r\nFor example, if a user uses `shell.exec` to generate a secret key -\r\n```js\r\nvar shell = require('shelljs');\r\nvar secret = shell.exec(\"openssl rand -base64 32\").stdout;\r\n```\r\nA local attacker could read the temporary stdout file to get the user's secret key -\r\n```js\r\nwhile true; do cat /tmp/*; done\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "The vulnerability simply requires attackers to read the `/tmp` directory" + }, + { + "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", + "description": "The attacker must be running code on the system, to read the `/tmp` directory", + "is_positive": true + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "The security impact of this issue depends on what kind of data gets leaked by the local attacker. In the worst case, the leaked data would allow privilege escalation or remote code execution on other machines.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "One of the system's user must run a command with a sensitive data output, for example - `var secret = shell.exec(\"openssl rand -base64 32\");`", + "is_positive": true + }, + { + "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", + "description": "`shell.exec` is highly likely to be called when the `ShellJS` package is in use" + } + ] + } + } + ], + "component_id": "root", + "package_type": "Generic", + "status": "completed" + } +] From 959189046cdf9b37fb645c501bc6fddcf6b7bfc3 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:20:33 -0500 Subject: [PATCH 06/31] Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- .../parsers/file/jfrog_xray_on_demand_binary_scan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md index d34f88fdf2a..f49bf7132d5 100644 --- a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -1,5 +1,5 @@ --- -title: "Jfrog xray on demand binary Scan" +title: "JFrog Xray On Demand Binary Scan" toc_hide: true --- Import the JSON format for the \"Jfrog xray on demand binary Scan\" file. Use this importer for Xray version 2.X From 5c1036648ce43f37b6a7c02930df8876724f5588 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:20:48 -0500 Subject: [PATCH 07/31] Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- .../parsers/file/jfrog_xray_on_demand_binary_scan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md index f49bf7132d5..f3a2a92bf2a 100644 --- a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -2,7 +2,7 @@ title: "JFrog Xray On Demand Binary Scan" toc_hide: true --- -Import the JSON format for the \"Jfrog xray on demand binary Scan\" file. Use this importer for Xray version 2.X +Import the JSON format for the \"JFrog Xray On Demand Binary Scan\" file. Use this importer for Xray version 2.X -- jfron file documentation From 7a139f345ebceb83d4e5a0438a37cf87f620a0ba Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:20:59 -0500 Subject: [PATCH 08/31] Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- .../parsers/file/jfrog_xray_on_demand_binary_scan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md index f3a2a92bf2a..c95e57793d2 100644 --- a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -4,6 +4,6 @@ toc_hide: true --- Import the JSON format for the \"JFrog Xray On Demand Binary Scan\" file. Use this importer for Xray version 2.X -- - jfron file documentation + JFrog file documentation: https://jfrog.com/help/r/jfrog-cli/on-demand-binary-scan From 2f01430140cb07de1804271c571614fcf2d05562 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:21:10 -0500 Subject: [PATCH 09/31] Update dojo/settings/settings.dist.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/settings/settings.dist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index d9b108fbfdf..d94f2dade65 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1223,7 +1223,7 @@ def saml2_attrib_map_format(dict): 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], 'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'], 'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'], - 'Jfrog Xray On Demand Binary Scan': ["title", "description", "component_name", "component_version"], + 'JFrog Xray On Demand Binary Scan': ["title", "description", "component_name", "component_version"], 'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'], # for now we use file_path as there is no attribute for "service" 'AWS Security Hub Scan': ['unique_id_from_tool'], 'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'], From 3ba1a156b82969c4fd8ed73985b678b913fda9b7 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:21:24 -0500 Subject: [PATCH 10/31] Update dojo/settings/settings.dist.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/settings/settings.dist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index d94f2dade65..fafd7c1c506 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1416,7 +1416,7 @@ def saml2_attrib_map_format(dict): 'Checkov Scan': DEDUPE_ALGO_HASH_CODE, 'SpotBugs Scan': DEDUPE_ALGO_HASH_CODE, 'JFrog Xray Unified Scan': DEDUPE_ALGO_HASH_CODE, - 'Jfrog Xray On Demand Binary Scan': DEDUPE_ALGO_HASH_CODE, + 'JFrog Xray On Demand Binary Scan': DEDUPE_ALGO_HASH_CODE, 'Scout Suite Scan': DEDUPE_ALGO_HASH_CODE, 'AWS Security Hub Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'Meterian Scan': DEDUPE_ALGO_HASH_CODE, From 8b7c29c942ebcc1cc5a0aa9012b8d149769f5aa0 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:21:35 -0500 Subject: [PATCH 11/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 39406c665e7..796b2ec9838 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -10,7 +10,7 @@ class JfrogXrayOnDemandBinaryScanParser(object): """jfrog_xray_scan JSON reports""" def get_scan_types(self): - return ["Jfrog Xray On Demand Binary Scan"] + return ["JFrog Xray On Demand Binary Scan"] def get_label_for_scan_types(self, scan_type): return scan_type From 8bd9320090e157b6ba3a1f9e372d61ff080f1c75 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:21:48 -0500 Subject: [PATCH 12/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 796b2ec9838..f91f3962e44 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -90,7 +90,7 @@ def get_severity_justification(vulnerability): severity_desc = "**full description**\n" severity_desc += extended_information["full_description"] + "\n" if "jfrog_research_severity" in extended_information: - severity_desc = "**jfrog research severity**\n" + severity_desc = "**JFrog research severity**\n" severity_desc += extended_information["jfrog_research_severity"] + "\n" if "jfrog_research_severity_reasons" in extended_information: severity_desc = "**jfrog research severity reasons**\n" From 165084abeb58dca2e6cc0d37e597ff687b8cb03d Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:22:03 -0500 Subject: [PATCH 13/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index f91f3962e44..8e0dc4fa862 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -93,7 +93,7 @@ def get_severity_justification(vulnerability): severity_desc = "**JFrog research severity**\n" severity_desc += extended_information["jfrog_research_severity"] + "\n" if "jfrog_research_severity_reasons" in extended_information: - severity_desc = "**jfrog research severity reasons**\n" + severity_desc = "**JFrog research severity reasons**\n" for item in extended_information["jfrog_research_severity_reasons"]: severity_desc += item["name"] + "\n" if item.get("name") else "" severity_desc += item["description"] + "\n" if item.get("description") else "" From f9419a97bd14307095dd23adb2bb32e79f5c4ce7 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:22:11 -0500 Subject: [PATCH 14/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 8e0dc4fa862..ada0a02f39c 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -87,7 +87,7 @@ def get_severity_justification(vulnerability): severity_desc = "**short description**\n" severity_desc += extended_information["short_description"] + "\n" if "full_description" in extended_information: - severity_desc = "**full description**\n" + severity_desc = "**Full description**\n" severity_desc += extended_information["full_description"] + "\n" if "jfrog_research_severity" in extended_information: severity_desc = "**JFrog research severity**\n" From adde8282127497852990df183d7c7474c567b99b Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:22:19 -0500 Subject: [PATCH 15/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index ada0a02f39c..daefe1c278a 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -84,7 +84,7 @@ def get_severity_justification(vulnerability): if extended_information: remediation += get_remediation(extended_information) if "short_description" in extended_information: - severity_desc = "**short description**\n" + severity_desc = "**Short description**\n" severity_desc += extended_information["short_description"] + "\n" if "full_description" in extended_information: severity_desc = "**Full description**\n" From c186480d60aeb259fb1fa0c8a440ce6d6bef0650 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:26:14 -0500 Subject: [PATCH 16/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index daefe1c278a..48086c63fe1 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -132,9 +132,9 @@ def get_version_vulnerability(vulnerability): return "None" -def get_provider(vulnerabiity): - if "component_versions" in vulnerabiity: - provider = vulnerabiity.get("component_versions").get("more_details").get("provider") +def get_provider(vulnerability): + if "component_versions" in vulnerability: + provider = vulnerability.get("component_versions").get("more_details").get("provider") if provider: provider += f"\n**Provider:** {provider}" return provider From 56f1ec94cdf74b434117402e0dfe1f67fae62296 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Sat, 18 Nov 2023 16:26:51 -0500 Subject: [PATCH 17/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 48086c63fe1..e681df81d9f 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -205,7 +205,6 @@ def get_item(vulnerability, test): finding = Finding( title=title, cwe=cwe, - test=test, severity_justification=severity_justification, severity=severity, description=(vulnerability["summary"] + extra_desc).strip(), From 24711066893ab965dd5a7703e53caf2c108ca4a5 Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Mon, 20 Nov 2023 18:46:27 +0100 Subject: [PATCH 18/31] First round of Improvements --- .../parser.py | 63 +++++++++++-------- ...jfrog_xray_on_demand_binary_scan_parser.py | 14 +++++ 2 files changed, 52 insertions(+), 25 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index e681df81d9f..ce9080498b5 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -32,9 +32,9 @@ def get_items(self, tree, test): item = get_item(node, test) title_cve = "No CVE" - if "cves" in tree: - if "cve" in tree["cves"][0]: - title_cve = tree["cve"] + if "cves" in node: + if "cve" in node["cves"][0]: + title_cve = node["cves"][0]["cve"] unique_key = node.get("issue_id", "") + node.get("summary", "") + title_cve items[unique_key] = item @@ -49,7 +49,7 @@ def decode_cwe_number(value): return int(match[0].rsplit("-")[1]) -def get_servery(vulnerability): +def get_severity(vulnerability): if "severity" in vulnerability: if vulnerability["severity"] == "Unknown": severity = "Info" @@ -66,7 +66,11 @@ def get_references(vulnerability): references = vulnerability["references"] for reference in references: ref += reference + "\n" - return ref + if ref: + return ref + else: + return None + def get_remediation(extended_information): @@ -97,37 +101,39 @@ def get_severity_justification(vulnerability): for item in extended_information["jfrog_research_severity_reasons"]: severity_desc += item["name"] + "\n" if item.get("name") else "" severity_desc += item["description"] + "\n" if item.get("description") else "" + severity_desc += "Is positive: " + str(item["is_positive"]) + "\n" if item.get("is_positive") else "" return severity_desc, remediation def get_component(vulnerability): mitigation = "" - gav = "" + package = "" impact = "**Impact paths**\n" if "components" in vulnerability: components = vulnerability["components"] - gav = next(iter(components)) - component = components[gav] + package = next(iter(components)) + component = components[package] fixed_versions = component.get("fixed_versions") if fixed_versions: - mitigation = "**Versions containing a fix:**\n" - mitigation = mitigation + "\n".join(fixed_versions) + mitigation = "**Versions containing a fix:**\n- " + mitigation = mitigation + "\n- ".join(fixed_versions) if "impact_paths" in component: - impact_paths = component["impact_paths"][0] - for item in impact_paths: - if "component_id" in item: - component_id = item["component_id"] - impact = impact + "\n" + component_id - if "full_path" in item: - full_path = item["full_path"] - impact = impact + "\n" + full_path - return gav, mitigation, impact + impact_paths_l1 = component["impact_paths"] + for impact_paths_l2 in impact_paths_l1: + for item in impact_paths_l2: + if "component_id" in item: + component_id = item["component_id"] + impact = impact + "\n" + component_id + if "full_path" in item: + full_path = item["full_path"] + impact = impact + "\n" + full_path + return package, mitigation, impact def get_version_vulnerability(vulnerability): if "vulnerable_versions" in vulnerability["component_versions"]: - extra_desc = "\n**Versions that are vulnerable:**\n" - extra_desc += "\n".join(vulnerability["component_versions"]["vulnerable_versions"]) + extra_desc = "\n**Versions that are vulnerable:**\n- " + extra_desc += "\n- ".join(vulnerability["component_versions"]["vulnerable_versions"]) return extra_desc return "None" @@ -153,11 +159,17 @@ def get_cve(vulnerability): return cves return [] +def get_vuln_id_from_tool(vulnerability): + if "issue_id" in vulnerability: + return vulnerability["issue_id"] + return None + def get_item(vulnerability, test): severity_justification, remediation = get_severity_justification(vulnerability) - severity = get_servery(vulnerability) + severity = get_severity(vulnerability) references = get_references(vulnerability) + vuln_id_from_tool = get_vuln_id_from_tool(vulnerability) vulnerability_ids = list() cwe = None cvssv3 = None @@ -172,10 +184,10 @@ def get_item(vulnerability, test): # take only the first one for now, limitation of DD model. if len(cves[0].get("cwe", [])) > 0: cwe = decode_cwe_number(cves[0].get("cwe", [])[0]) - if "cvss_v3" in cves[0]: - cvss_v3 = cves[0]["cvss_v3"] + if "cvss_v3_vector" in cves[0]: + cvss_v3 = cves[0]["cvss_v3_vector"] # this dedicated package will clean the vector - cvssv3 = CVSS3.from_rh_vector(cvss_v3).clean_vector() + cvssv3 = CVSS3(cvss_v3).clean_vector() extra_desc += get_provider(vulnerability) component_name, mitigation, impact = get_component(vulnerability) @@ -217,6 +229,7 @@ def get_item(vulnerability, test): static_finding=True, dynamic_finding=False, cvssv3=cvssv3, + vuln_id_from_tool=vuln_id_from_tool, ) if vulnerability_ids: finding.unsaved_vulnerability_ids = vulnerability_ids diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py index 4959c2481c8..25e7543cd4d 100644 --- a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -31,3 +31,17 @@ def test_decode_cwe_number(self): self.assertEqual(0, decode_cwe_number("")) with self.subTest(val="cwe-1"): self.assertEqual(1, decode_cwe_number("cwe-1")) + + def test_parse_file_with_many_vulns_docker(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json") + parser = JfrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(2, len(findings)) + + def test_parse_file_with_many_vulns_pypi(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json") + parser = JfrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(84, len(findings)) From b257771df8ff6fe2154983962dcb63a00076edb2 Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Mon, 20 Nov 2023 19:17:52 +0100 Subject: [PATCH 19/31] Drop duplicates in component_id and full_path --- .../jfrog_xray_on_demand_binary_scan/parser.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index ce9080498b5..20f199c2127 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -108,31 +108,32 @@ def get_severity_justification(vulnerability): def get_component(vulnerability): mitigation = "" package = "" - impact = "**Impact paths**\n" + impact = "**Impact paths**\n\n- " if "components" in vulnerability: components = vulnerability["components"] package = next(iter(components)) component = components[package] fixed_versions = component.get("fixed_versions") if fixed_versions: - mitigation = "**Versions containing a fix:**\n- " + mitigation = "**Versions containing a fix:**\n\n- " mitigation = mitigation + "\n- ".join(fixed_versions) if "impact_paths" in component: + refs = [] impact_paths_l1 = component["impact_paths"] for impact_paths_l2 in impact_paths_l1: for item in impact_paths_l2: if "component_id" in item: - component_id = item["component_id"] - impact = impact + "\n" + component_id + refs.append(item["component_id"]) if "full_path" in item: - full_path = item["full_path"] - impact = impact + "\n" + full_path + refs.append(item["full_path"]) + if refs: + impact += "\n- ".join(sorted(set(refs))) return package, mitigation, impact def get_version_vulnerability(vulnerability): if "vulnerable_versions" in vulnerability["component_versions"]: - extra_desc = "\n**Versions that are vulnerable:**\n- " + extra_desc = "\n**Versions that are vulnerable:**\n\n- " extra_desc += "\n- ".join(vulnerability["component_versions"]["vulnerable_versions"]) return extra_desc return "None" From 0dc2ea7e9f74e28748c348d884cfaa03b057b267 Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Mon, 20 Nov 2023 20:12:01 +0100 Subject: [PATCH 20/31] Process per component --- .../parser.py | 150 +++++++++--------- 1 file changed, 75 insertions(+), 75 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 20f199c2127..5d99486ff27 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -20,24 +20,25 @@ def get_description_for_scan_types(self, scan_type): def get_findings(self, json_output, test): tree = json.load(json_output) - return self.get_items(tree, test) + return self.get_items(tree) - def get_items(self, tree, test): + def get_items(self, tree): items = {} for data in tree: if "vulnerabilities" in data: vulnerability_tree = data["vulnerabilities"] for node in vulnerability_tree: - item = get_item(node, test) + item_set = get_item_set(node) - title_cve = "No CVE" - if "cves" in node: - if "cve" in node["cves"][0]: - title_cve = node["cves"][0]["cve"] + for item in item_set: + title_cve = "No CVE" + if "cves" in node: + if "cve" in node["cves"][0]: + title_cve = node["cves"][0]["cve"] - unique_key = node.get("issue_id", "") + node.get("summary", "") + title_cve - items[unique_key] = item + unique_key = item.title + node.get("issue_id", "") + node.get("summary", "") + title_cve + items[unique_key] = item return list(items.values()) @@ -105,30 +106,25 @@ def get_severity_justification(vulnerability): return severity_desc, remediation -def get_component(vulnerability): +def process_component(component): mitigation = "" - package = "" impact = "**Impact paths**\n\n- " - if "components" in vulnerability: - components = vulnerability["components"] - package = next(iter(components)) - component = components[package] - fixed_versions = component.get("fixed_versions") - if fixed_versions: - mitigation = "**Versions containing a fix:**\n\n- " - mitigation = mitigation + "\n- ".join(fixed_versions) - if "impact_paths" in component: - refs = [] - impact_paths_l1 = component["impact_paths"] - for impact_paths_l2 in impact_paths_l1: - for item in impact_paths_l2: - if "component_id" in item: - refs.append(item["component_id"]) - if "full_path" in item: - refs.append(item["full_path"]) - if refs: - impact += "\n- ".join(sorted(set(refs))) - return package, mitigation, impact + fixed_versions = component.get("fixed_versions") + if fixed_versions: + mitigation = "**Versions containing a fix:**\n\n- " + mitigation = mitigation + "\n- ".join(fixed_versions) + if "impact_paths" in component: + refs = [] + impact_paths_l1 = component["impact_paths"] + for impact_paths_l2 in impact_paths_l1: + for item in impact_paths_l2: + if "component_id" in item: + refs.append(item["component_id"]) + if "full_path" in item: + refs.append(item["full_path"]) + if refs: + impact += "\n- ".join(sorted(set(refs))) + return mitigation, impact def get_version_vulnerability(vulnerability): @@ -166,7 +162,9 @@ def get_vuln_id_from_tool(vulnerability): return None -def get_item(vulnerability, test): +def get_item_set(vulnerability): + item_set = [] + severity_justification, remediation = get_severity_justification(vulnerability) severity = get_severity(vulnerability) references = get_references(vulnerability) @@ -191,47 +189,49 @@ def get_item(vulnerability, test): cvssv3 = CVSS3(cvss_v3).clean_vector() extra_desc += get_provider(vulnerability) - component_name, mitigation, impact = get_component(vulnerability) - component_version = get_ext(vulnerability) - - # The 'id' field is empty? (at least in my sample file) - if vulnerability_ids: - if vulnerability.get("id"): - title = ( - vulnerability["id"] - + " - " - + str(vulnerability_ids[0]) - + " - " - + component_name - + ":" - + component_version - ) - else: - title = str(vulnerability_ids[0]) + " - " + component_name + ":" + component_version - else: - if vulnerability.get("id"): - title = vulnerability["id"] + " - " + component_name + ":" + component_version + for component_name, component in vulnerability.get("components", {}).items(): + mitigation, impact = process_component(component) + component_version = get_ext(vulnerability) + + # The 'id' field is empty? (at least in my sample file) + if vulnerability_ids: + if vulnerability.get("id"): + title = ( + vulnerability["id"] + + " - " + + str(vulnerability_ids[0]) + + " - " + + component_name + + ":" + + component_version + ) + else: + title = str(vulnerability_ids[0]) + " - " + component_name + ":" + component_version else: - title = "No CVE - " + component_name + ":" + component_version - - # create the finding object - finding = Finding( - title=title, - cwe=cwe, - severity_justification=severity_justification, - severity=severity, - description=(vulnerability["summary"] + extra_desc).strip(), - mitigation=mitigation + remediation, - component_name=component_name, - component_version=component_version, - impact=impact, - references=references, - file_path=vulnerability.get("source_comp_id"), - static_finding=True, - dynamic_finding=False, - cvssv3=cvssv3, - vuln_id_from_tool=vuln_id_from_tool, - ) - if vulnerability_ids: - finding.unsaved_vulnerability_ids = vulnerability_ids - return finding + if vulnerability.get("id"): + title = vulnerability["id"] + " - " + component_name + ":" + component_version + else: + title = "No CVE - " + component_name + ":" + component_version + + # create the finding object + finding = Finding( + title=title, + cwe=cwe, + severity_justification=severity_justification, + severity=severity, + description=(vulnerability["summary"] + extra_desc).strip(), + mitigation=mitigation + remediation, + component_name=component_name, + component_version=component_version, + impact=impact, + references=references, + file_path=vulnerability.get("source_comp_id"), + static_finding=True, + dynamic_finding=False, + cvssv3=cvssv3, + vuln_id_from_tool=vuln_id_from_tool, + ) + if vulnerability_ids: + finding.unsaved_vulnerability_ids = vulnerability_ids + item_set.append(finding) + return item_set From 241e29d5439024eea4ae522bcfbbc95358ac6683 Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Mon, 20 Nov 2023 20:12:49 +0100 Subject: [PATCH 21/31] Visual improvements --- .../parser.py | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 5d99486ff27..c7f04c00b43 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -62,12 +62,14 @@ def get_severity(vulnerability): def get_references(vulnerability): - ref = "" if "references" in vulnerability: + ref = "" references = vulnerability["references"] for reference in references: - ref += reference + "\n" - if ref: + if reference[:2] == "- ": + ref += reference + "\n" + else: + ref += "- " + reference + "\n" return ref else: return None @@ -77,7 +79,7 @@ def get_references(vulnerability): def get_remediation(extended_information): remediation = "" if "remediation" in extended_information: - remediation = "\n**Remediation**\n" + remediation = "\n\n**Remediation**\n" remediation += extended_information["remediation"] + "\n" return remediation @@ -89,20 +91,20 @@ def get_severity_justification(vulnerability): if extended_information: remediation += get_remediation(extended_information) if "short_description" in extended_information: - severity_desc = "**Short description**\n" + severity_desc += "**Short description**\n" severity_desc += extended_information["short_description"] + "\n" if "full_description" in extended_information: - severity_desc = "**Full description**\n" + severity_desc += "**Full description**\n" severity_desc += extended_information["full_description"] + "\n" if "jfrog_research_severity" in extended_information: - severity_desc = "**JFrog research severity**\n" + severity_desc += "**JFrog research severity**\n" severity_desc += extended_information["jfrog_research_severity"] + "\n" if "jfrog_research_severity_reasons" in extended_information: - severity_desc = "**JFrog research severity reasons**\n" + severity_desc += "**JFrog research severity reasons**\n" for item in extended_information["jfrog_research_severity_reasons"]: severity_desc += item["name"] + "\n" if item.get("name") else "" severity_desc += item["description"] + "\n" if item.get("description") else "" - severity_desc += "Is positive: " + str(item["is_positive"]) + "\n" if item.get("is_positive") else "" + severity_desc += "_Is positive:_ " + str(item["is_positive"]).lower() + "\n" if item.get("is_positive") else "" return severity_desc, remediation From ce105330d9fd55d99688ad580efb07381e59ceda Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Mon, 20 Nov 2023 21:44:14 +0100 Subject: [PATCH 22/31] Use+clean summary in Title, fix dedup, parse version, drop useless functions --- dojo/settings/settings.dist.py | 2 +- .../parser.py | 79 ++++--------------- ...jfrog_xray_on_demand_binary_scan_parser.py | 34 +++++--- 3 files changed, 42 insertions(+), 73 deletions(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index fafd7c1c506..c4cb4f63d94 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1223,7 +1223,7 @@ def saml2_attrib_map_format(dict): 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], 'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'], 'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'], - 'JFrog Xray On Demand Binary Scan': ["title", "description", "component_name", "component_version"], + 'JFrog Xray On Demand Binary Scan': ["title", "component_name", "component_version"], 'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'], # for now we use file_path as there is no attribute for "service" 'AWS Security Hub Scan': ['unique_id_from_tool'], 'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'], diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index c7f04c00b43..97b41e656bf 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -32,22 +32,17 @@ def get_items(self, tree): item_set = get_item_set(node) for item in item_set: - title_cve = "No CVE" - if "cves" in node: - if "cve" in node["cves"][0]: - title_cve = node["cves"][0]["cve"] - - unique_key = item.title + node.get("issue_id", "") + node.get("summary", "") + title_cve + unique_key = item.title + item.component_name + item.component_version items[unique_key] = item return list(items.values()) -def decode_cwe_number(value): - match = re.match(r"CWE-\d+", value, re.IGNORECASE) +def get_component_name_version(name): + match = re.match(r"([a-z]+://[a-z\d\.:]+):([a-z\d\.\-]+)", name, re.IGNORECASE) if match is None: - return 0 - return int(match[0].rsplit("-")[1]) + return name, "" + return match[1], match[2] def get_severity(vulnerability): @@ -75,7 +70,6 @@ def get_references(vulnerability): return None - def get_remediation(extended_information): remediation = "" if "remediation" in extended_information: @@ -125,45 +119,31 @@ def process_component(component): if "full_path" in item: refs.append(item["full_path"]) if refs: - impact += "\n- ".join(sorted(set(refs))) + impact += "\n- ".join(sorted(set(refs))) # deduplication return mitigation, impact -def get_version_vulnerability(vulnerability): - if "vulnerable_versions" in vulnerability["component_versions"]: - extra_desc = "\n**Versions that are vulnerable:**\n\n- " - extra_desc += "\n- ".join(vulnerability["component_versions"]["vulnerable_versions"]) - return extra_desc - return "None" - - -def get_provider(vulnerability): - if "component_versions" in vulnerability: - provider = vulnerability.get("component_versions").get("more_details").get("provider") - if provider: - provider += f"\n**Provider:** {provider}" - return provider - return "" - - -def get_ext(vulnerability): - if "EXT" in vulnerability: - return vulnerability["EXT"] - return "" - - def get_cve(vulnerability): if "cves" in vulnerability: cves = vulnerability["cves"] return cves return [] + def get_vuln_id_from_tool(vulnerability): if "issue_id" in vulnerability: return vulnerability["issue_id"] return None +def clean_title(title): + if title.startswith("Issue summary: "): + title = title[len("Issue summary: "):] + if '\n' in title: + title = title[:title.index('\n')] + return title + + def get_item_set(vulnerability): item_set = [] @@ -172,7 +152,6 @@ def get_item_set(vulnerability): references = get_references(vulnerability) vuln_id_from_tool = get_vuln_id_from_tool(vulnerability) vulnerability_ids = list() - cwe = None cvssv3 = None cvss_v3 = "No CVSS v3 score." extra_desc = "" @@ -182,43 +161,19 @@ def get_item_set(vulnerability): for item in cves: if item.get("cve"): vulnerability_ids.append(item.get("cve")) - # take only the first one for now, limitation of DD model. - if len(cves[0].get("cwe", [])) > 0: - cwe = decode_cwe_number(cves[0].get("cwe", [])[0]) if "cvss_v3_vector" in cves[0]: cvss_v3 = cves[0]["cvss_v3_vector"] # this dedicated package will clean the vector cvssv3 = CVSS3(cvss_v3).clean_vector() - extra_desc += get_provider(vulnerability) for component_name, component in vulnerability.get("components", {}).items(): + component_name, component_version = get_component_name_version(component_name) mitigation, impact = process_component(component) - component_version = get_ext(vulnerability) - - # The 'id' field is empty? (at least in my sample file) - if vulnerability_ids: - if vulnerability.get("id"): - title = ( - vulnerability["id"] - + " - " - + str(vulnerability_ids[0]) - + " - " - + component_name - + ":" - + component_version - ) - else: - title = str(vulnerability_ids[0]) + " - " + component_name + ":" + component_version - else: - if vulnerability.get("id"): - title = vulnerability["id"] + " - " + component_name + ":" + component_version - else: - title = "No CVE - " + component_name + ":" + component_version + title = clean_title(vulnerability["summary"]) # create the finding object finding = Finding( title=title, - cwe=cwe, severity_justification=severity_justification, severity=severity, description=(vulnerability["summary"] + extra_desc).strip(), diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py index 25e7543cd4d..dcafcccb0b0 100644 --- a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -1,7 +1,7 @@ from ..dojo_test_case import DojoTestCase from dojo.models import Test, Finding from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ - JfrogXrayOnDemandBinaryScanParser, decode_cwe_number + JfrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title class TestJfrogXrayOnDemandBinaryScanParser(DojoTestCase): @@ -24,24 +24,38 @@ def test_parse_file_with_many_vulns(self): testfile.close() self.assertEqual(3, len(findings)) - def test_decode_cwe_number(self): - with self.subTest(val="CWE-1234"): - self.assertEqual(1234, decode_cwe_number("CWE-1234")) - with self.subTest(val=""): - self.assertEqual(0, decode_cwe_number("")) - with self.subTest(val="cwe-1"): - self.assertEqual(1, decode_cwe_number("cwe-1")) + def test_component_name_version(self): + with self.subTest(""): + self.assertEqual(("", ""), get_component_name_version("")) + with self.subTest("gav://org.yaml:snakeyaml:1.16"): + self.assertEqual(("gav://org.yaml:snakeyaml", "1.16"), get_component_name_version("gav://org.yaml:snakeyaml:1.16")) + with self.subTest("npm://desopmo:1.33.7"): + self.assertEqual(("npm://desopmo", "1.33.7"), get_component_name_version("npm://desopmo:1.33.7")) + with self.subTest("pypi://django:4.1.4"): + self.assertEqual(("pypi://django", "4.1.4"), get_component_name_version("pypi://django:4.1.4")) + with self.subTest("alpine://3.18:libcrypto3:3.1.1-r1"): + self.assertEqual(("alpine://3.18:libcrypto3", "3.1.1-r1"), get_component_name_version("alpine://3.18:libcrypto3:3.1.1-r1")) + with self.subTest("npm://desopmo"): + self.assertEqual(("npm://desopmo", ""), get_component_name_version("npm://desopmo")) + + def test_clean_title(self): + with self.subTest(""): + self.assertEqual("", clean_title("")) + with self.subTest("ABC"): + self.assertEqual("ABC", clean_title("ABC")) + with self.subTest("Garbage"): + self.assertEqual("Processing some specially crafted ASN.1 object identifiers or", clean_title("Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.")) def test_parse_file_with_many_vulns_docker(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json") parser = JfrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() - self.assertEqual(2, len(findings)) + self.assertEqual(4, len(findings)) def test_parse_file_with_many_vulns_pypi(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json") parser = JfrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() - self.assertEqual(84, len(findings)) + self.assertEqual(99, len(findings)) From bcb0eccdf8f3b2cb02582a16527fe639da6227fc Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:09:38 -0500 Subject: [PATCH 23/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index e681df81d9f..429d755af54 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -6,7 +6,7 @@ from dojo.models import Finding -class JfrogXrayOnDemandBinaryScanParser(object): +class JFrogXrayOnDemandBinaryScanParser(object): """jfrog_xray_scan JSON reports""" def get_scan_types(self): From 7e03894c5e6520a8256bb54021dfb6089c927fbc Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:10:00 -0500 Subject: [PATCH 24/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 429d755af54..1a2614b8d45 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -49,7 +49,7 @@ def decode_cwe_number(value): return int(match[0].rsplit("-")[1]) -def get_servery(vulnerability): +def get_severity(vulnerability): if "severity" in vulnerability: if vulnerability["severity"] == "Unknown": severity = "Info" From 57c2a839daf3a0b2353df590e7d8addb5c88deb5 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:10:10 -0500 Subject: [PATCH 25/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 1a2614b8d45..e1bf614c4d8 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -110,8 +110,8 @@ def get_component(vulnerability): component = components[gav] fixed_versions = component.get("fixed_versions") if fixed_versions: - mitigation = "**Versions containing a fix:**\n" - mitigation = mitigation + "\n".join(fixed_versions) + mitigation = "**Versions containing a fix:**\n- " + mitigation = mitigation + "\n- ".join(fixed_versions) if "impact_paths" in component: impact_paths = component["impact_paths"][0] for item in impact_paths: From 65ab4856e9a9146d6d081be2979a8386bf6cede8 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:10:27 -0500 Subject: [PATCH 26/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index e1bf614c4d8..f5fd9bb1bab 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -126,8 +126,8 @@ def get_component(vulnerability): def get_version_vulnerability(vulnerability): if "vulnerable_versions" in vulnerability["component_versions"]: - extra_desc = "\n**Versions that are vulnerable:**\n" - extra_desc += "\n".join(vulnerability["component_versions"]["vulnerable_versions"]) + extra_desc = "\n**Versions that are vulnerable:**\n- " + extra_desc += "\n- ".join(vulnerability["component_versions"]["vulnerable_versions"]) return extra_desc return "None" From f49f0d178a7487ae72bc97f82098e45cb96eca51 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:11:34 -0500 Subject: [PATCH 27/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index f5fd9bb1bab..f793d3d5ce7 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -156,7 +156,7 @@ def get_cve(vulnerability): def get_item(vulnerability, test): severity_justification, remediation = get_severity_justification(vulnerability) - severity = get_servery(vulnerability) + severity = get_severity(vulnerability) references = get_references(vulnerability) vulnerability_ids = list() cwe = None From 73a4ba3c4d380b21e0a1e4512f31c60de5f5b531 Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Tue, 21 Nov 2023 08:11:43 -0500 Subject: [PATCH 28/31] Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik --- dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index f793d3d5ce7..a91c028c3d9 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -172,8 +172,8 @@ def get_item(vulnerability, test): # take only the first one for now, limitation of DD model. if len(cves[0].get("cwe", [])) > 0: cwe = decode_cwe_number(cves[0].get("cwe", [])[0]) - if "cvss_v3" in cves[0]: - cvss_v3 = cves[0]["cvss_v3"] + if "cvss_v3_vector" in cves[0]: + cvss_v3 = cves[0]["cvss_v3_vector"] # this dedicated package will clean the vector cvssv3 = CVSS3.from_rh_vector(cvss_v3).clean_vector() From c3347afb6d0f27fa7bb7fd41876061a58197dae9 Mon Sep 17 00:00:00 2001 From: renejal Date: Tue, 21 Nov 2023 16:57:04 -0500 Subject: [PATCH 29/31] fix test rename class --- .../test_jfrog_xray_on_demand_binary_scan_parser.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py index dcafcccb0b0..d43aac04f87 100644 --- a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -1,14 +1,14 @@ from ..dojo_test_case import DojoTestCase from dojo.models import Test, Finding from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ - JfrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title + JFrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title class TestJfrogXrayOnDemandBinaryScanParser(DojoTestCase): def test_parse_file_with_one_vuln(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(1, len(findings)) @@ -19,7 +19,7 @@ def test_parse_file_with_one_vuln(self): def test_parse_file_with_many_vulns(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(3, len(findings)) @@ -48,14 +48,14 @@ def test_clean_title(self): def test_parse_file_with_many_vulns_docker(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(4, len(findings)) def test_parse_file_with_many_vulns_pypi(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(99, len(findings)) From 23b3087aa1f246899489eb85d9571128dc9f26f4 Mon Sep 17 00:00:00 2001 From: Tomas Kubla Date: Wed, 22 Nov 2023 23:59:35 +0100 Subject: [PATCH 30/31] Last Improvements and tests --- .../parser.py | 12 +++---- ...jfrog_xray_on_demand_binary_scan_parser.py | 36 +++++++++++++++---- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py index 8475857baff..b6901c289c1 100644 --- a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -153,7 +153,6 @@ def get_item_set(vulnerability): vulnerability_ids = list() cvssv3 = None cvss_v3 = "No CVSS v3 score." - extra_desc = "" # Some entries have no CVE entries, despite they exist. Example CVE-2017-1000502. cves = get_cve(vulnerability) if len(cves) > 0: @@ -172,15 +171,14 @@ def get_item_set(vulnerability): # create the finding object finding = Finding( title=title, - severity_justification=severity_justification, + severity_justification=severity_justification or None, severity=severity, - description=(vulnerability["summary"] + extra_desc).strip(), - mitigation=mitigation + remediation, + description=(vulnerability["summary"]).strip(), + mitigation=(mitigation + remediation) or None, component_name=component_name, component_version=component_version, - impact=impact, - references=references, - file_path=vulnerability.get("source_comp_id"), + impact=impact or None, + references=references or None, static_finding=True, dynamic_finding=False, cvssv3=cvssv3, diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py index dcafcccb0b0..0fd6712f07d 100644 --- a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -1,14 +1,14 @@ from ..dojo_test_case import DojoTestCase from dojo.models import Test, Finding from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ - JfrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title + JFrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title -class TestJfrogXrayOnDemandBinaryScanParser(DojoTestCase): +class TestJFrogXrayOnDemandBinaryScanParser(DojoTestCase): def test_parse_file_with_one_vuln(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(1, len(findings)) @@ -19,7 +19,7 @@ def test_parse_file_with_one_vuln(self): def test_parse_file_with_many_vulns(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(3, len(findings)) @@ -48,14 +48,38 @@ def test_clean_title(self): def test_parse_file_with_many_vulns_docker(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(4, len(findings)) def test_parse_file_with_many_vulns_pypi(self): testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json") - parser = JfrogXrayOnDemandBinaryScanParser() + parser = JFrogXrayOnDemandBinaryScanParser() findings = parser.get_findings(testfile, Test()) testfile.close() self.assertEqual(99, len(findings)) + + with self.subTest(finding=0): + self.assertIn("sqlparse is a non-validating SQL parser module for Python", findings[0].title) + self.assertIsNone(findings[0].severity_justification) + self.assertEqual("High", findings[0].severity) + self.assertIn("sqlparse is a non-validating SQL parser module for Python", findings[0].description) + self.assertIn("- [0.4.4]", findings[0].mitigation) + self.assertEqual("pypi://sqlparse", findings[0].component_name) + self.assertEqual("0.4.3", findings[0].component_version) + self.assertIn("pypi://django:4.1.4", findings[0].impact) + self.assertIn("https://github.com/andialbrecht/sqlparse/commit/", findings[0].references) + self.assertTrue(findings[0].static_finding) + self.assertFalse(findings[0].dynamic_finding) + self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", findings[0].cvssv3) + self.assertEqual("XRAY-515353", findings[0].vuln_id_from_tool) + self.assertEqual(['CVE-2023-30608'], findings[0].unsaved_vulnerability_ids) + + with self.subTest(finding=1): + self.assertIn("**Short description**\nA design problem in Django may lead to denial of service when processing multipart forms.\n", findings[1].severity_justification) + self.assertIn("**Full description**\n[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development.\r\n\r\nA vulnerability has been discovered in the Multipart Request Parser in Django. By passing certain inputs (such as an excessive number of parts) to multipart forms, an attacker can trigger too many open files or memory exhaustion, which may lead to a denial-of-service attack. \r\n\r\nThe issue is only exploitable when the `MultiPartParser` class is used by the Django app/\n", findings[1].severity_justification) + self.assertIn("**JFrog research severity**\nHigh\n", findings[1].severity_justification) + self.assertIn("**JFrog research severity reasons**\nExploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector\n", findings[1].severity_justification) + self.assertIn("An attacker must find a multipart form that receives files in order to trigger this issue, although this does not require intimate per-target research and can be automated.\n", findings[1].severity_justification) + self.assertIn("_Is positive:_ true\n", findings[1].severity_justification) From ccae048071600b045fa5aa1c9c8a5bcd7c086be6 Mon Sep 17 00:00:00 2001 From: renejal Date: Fri, 24 Nov 2023 08:51:21 -0500 Subject: [PATCH 31/31] capitalization skills --- .../parsers/file/jfrog_xray_on_demand_binary_scan.md | 2 +- dojo/fixtures/defect_dojo_sample_data.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md index c95e57793d2..2b877b1b04c 100644 --- a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -2,7 +2,7 @@ title: "JFrog Xray On Demand Binary Scan" toc_hide: true --- -Import the JSON format for the \"JFrog Xray On Demand Binary Scan\" file. Use this importer for Xray version 2.X +Import the JSON format for the \"JFrog Xray On Demand Binary Scan\" file. Use this importer for Xray version 3.X -- JFrog file documentation: diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index 14ce0dca4fe..27e0e202136 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -8623,7 +8623,7 @@ "model": "dojo.test_type", "pk": 149, "fields": { - "name": "Jfrog Xray On Demand Binary Scan", + "name": "JFrog Xray On Demand Binary Scan", "static_tool": false, "dynamic_tool": false, "active": true