From a2d389dfd6582cd52262257009f408cfcbe340fb Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Tue, 28 Nov 2023 08:30:59 -0500 Subject: [PATCH 01/33] Created _init_.py --- docs/content/en/integrations/parsers/file/noseyparker.md | 5 +++++ dojo/tools/noseyparker/__init__.py | 0 2 files changed, 5 insertions(+) create mode 100644 docs/content/en/integrations/parsers/file/noseyparker.md create mode 100644 dojo/tools/noseyparker/__init__.py diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md new file mode 100644 index 00000000000..0fde44bebae --- /dev/null +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -0,0 +1,5 @@ +--- +title: "Nosey Parker" +toc_hide: true +--- +JSONLines Output of Nosey Parker. Supports version 0.15.0 of https://github.com/praetorian-inc/noseyparker diff --git a/dojo/tools/noseyparker/__init__.py b/dojo/tools/noseyparker/__init__.py new file mode 100644 index 00000000000..e69de29bb2d From 6052a258376a61a09949114ab735734392acead3 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Tue, 28 Nov 2023 08:50:21 -0500 Subject: [PATCH 02/33] Created parser.py --- dojo/fixtures/test_type.json | 7 ++ dojo/tools/noseyparker/parser.py | 197 +++++++++++++++++++++++++++++++ 2 files changed, 204 insertions(+) create mode 100644 dojo/tools/noseyparker/parser.py diff --git a/dojo/fixtures/test_type.json b/dojo/fixtures/test_type.json index d1a9fa60726..c9ed263452a 100644 --- a/dojo/fixtures/test_type.json +++ b/dojo/fixtures/test_type.json @@ -47,5 +47,12 @@ }, "model": "dojo.test_type", "pk": 7 + }, + { + "fields": { + "name": "Nosey Parker" + }, + "model": "dojo.test_type", + "pk": 8 } ] \ No newline at end of file diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py new file mode 100644 index 00000000000..626f0863617 --- /dev/null +++ b/dojo/tools/noseyparker/parser.py @@ -0,0 +1,197 @@ +import hashlib +import json + + +from datetime import datetime +from dojo.models import Finding + + +class NoseyParkerParser(object): + """ + Scanning secrets from repos + """ + + def get_scan_types(self): + return ["Nosey Parker Scan"] + + def get_label_for_scan_types(self, scan_type): + return "Nosey Parker Scan" + + def get_description_for_scan_types(self, scan_type): + return "Nosey Parker report file can be imported in JSON Lines format (option --jsonl)." + + def get_findings(self, file, test, reporter): + """ + Returns findings from jsonlines file + """ + dupes = {} + # Turn JSONL file into DataFrame + if file.name.lower().endswith(".jsonl") or file.name.lower().endswith(".json"): + # Process jsonlines into Dict + data = [json.loads(line) for line in file] + + # Check for empty file + if len(len(data)) == 0: + return [] + + # Parse through each secret of each Json line + for item in data: + # Set rule to the current secret type (e.g AWS S3 Bucket) + key = item['rule_name'] + # Number of identical secret matches + num_matches = item['num_matches'] + severity = "High" + + # First finding in json list + first_finding = item['matches'][0] + + # Set Finding details + title = f"Secret(s) Found in Repository with Commit ID {first_finding['blob_id']}" + description = f"Secret found of type: {key} \n" \ + f"SECRET starts with: {secret[:3]} on line number {line_num} \n" \ + f"This secret was found {num_matches} time(s) \n" \ + f"**Committer Name: ** {first_finding['provenance']['commit_provenance']['committer_name']} \n" \ + f"**Committer Email: ** {first_finding['provenance']['commit_provenance']['committer_email']} \n" + + line_num = first_finding['location']['source_span']['start']['line'] + secret = item['match_content'] + filepath = first_finding['provenance.path'] + reproduce = f"**First Occurrence of secret: ** \n" \ + f"Snippet: {first_finding['snippet']['before']}***SECRET***{first_finding['snippet']['after']} \n" \ + f"Location: {filepath} line #{line_num}" + description += reproduce + + # Internal de-duplication + dupe_key = hashlib.sha256(str(filepath + secret).encode('utf-8')).hexdigest() + if dupe_key in dupes: + find = dupes[dupe_key] + if finding.description: + find.description += "\n" + finding.description + finding.nb_occurences += 1 + dupes[dupe_key] = find + else: + dupes[dupe_key] = True + # Create Finding object + finding = Finding( + test=test, + cwe=798, + title=title, + description=description, + steps_to_reproduce=reproduce, + severity=severity, + mitigation="Please reset the account/token and remove ALL occurences of this secret from source code. " + "Store secrets/tokens/passwords in secret managers or secure vaults.", + reporter=reporter, + date=datetime.today().strftime("%Y-%m-%d"), + verified='false', + active='true', + is_mitigated='false', + file_path=filepath, + line=line_num, + static_finding=True, + dynamic_finding=False + + ) + dupes[dupe_key] = finding + else: + raise ValueError("Format is not recognized for NoseyParker") + + + + def get_findings(self, file, test, filter, reporter): + """ + Returns findings from jsonlines file and uses filter + to skip findings and determine severity + """ + dupes = {} + + # Filter + filter_dict = self.parse_filter(filter) + + # Turn JSONL file into DataFrame + if file.name.lower().endswith(".jsonl") or file.name.lower().endswith(".json"): + # Process jsonlines into Dict + data = [json.loads(line) for line in file] + + # Check for empty file + if len(len(data)) == 0: + return [] + + + # Parse through each secret of each Json line + for item in data: + # Set rule to the current secret type (e.g AWS S3 Bucket) + key = item['rule_name'] + # Number of identical secret matches + num_matches = item['num_matches'] + severity = "High" + + # Check if Filter dictionary indicates to Skip finding + if key in filter_dict: + if filter_dict[key]['Skip'] == "True": + return [] + else: + # Get severity from filter json + severity = filter_dict[key]['Priority'] + + # First finding in json list + first_finding = item['matches'][0] + + # Set Finding details + title = f"Secret(s) Found in Repository with Commit ID {first_finding['blob_id']}" + description = f"Secret found of type: {key} \n" \ + f"SECRET starts with: {secret[:3]} on line number {line_num} \n" \ + f"This secret was found {num_matches} time(s) \n" \ + f"**Committer Name: ** {first_finding['provenance']['commit_provenance']['committer_name']} \n" \ + f"**Committer Email: ** {first_finding['provenance']['commit_provenance']['committer_email']} \n" + + line_num = first_finding['location']['source_span']['start']['line'] + secret = item['match_content'] + filepath = first_finding['provenance.path'] + reproduce = f"**First Occurrence of secret: ** \n" \ + f"Snippet: {first_finding['snippet']['before']}***SECRET***{first_finding['snippet']['after']} \n" \ + f"Location: {filepath} line #{line_num}" + description += reproduce + + # Internal de-duplication + dupe_key = hashlib.sha256(str(filepath + secret).encode('utf-8')).hexdigest() + if dupe_key in dupes: + find = dupes[dupe_key] + if finding.description: + find.description += "\n" + finding.description + finding.nb_occurences += 1 + dupes[dupe_key] = find + else: + dupes[dupe_key] = True + # Create Finding object + finding = Finding( + test=test, + cwe=798, + title=title, + description=description, + steps_to_reproduce=reproduce, + severity=severity, + mitigation="Please reset the account/token and remove ALL occurences of this secret from source code. " + "Store secrets/tokens/passwords in secret managers or secure vaults.", + reporter=reporter, + date=datetime.today().strftime("%Y-%m-%d"), + verified='false', + active='true', + is_mitigated='false', + file_path=filepath, + line=line_num, + static_finding=True, + dynamic_finding=False + + ) + dupes[dupe_key] = finding + else: + raise ValueError("Format is not recognized for NoseyParker") + + return list(dupes.values()) + + def parse_filter(self, filter_file): + # Parse Filter JSON file into Dictionary + + filter_dict = json.load(filter_file) + return filter_dict From be31c39449da78752f58c25078d206e968fc20f9 Mon Sep 17 00:00:00 2001 From: Greg Anderson Date: Wed, 29 Nov 2023 12:17:07 -0600 Subject: [PATCH 03/33] Update README.md (#9048) --- README.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 3eb26774ce6..5dd6b22ccfe 100644 --- a/README.md +++ b/README.md @@ -27,13 +27,8 @@ ![Screenshot of DefectDojo](https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/dev/docs/static/images/screenshot1.png) -[DefectDojo](https://www.defectdojo.com/) is a security orchestration and -vulnerability management platform. -DefectDojo allows you to manage your application security program, maintain -product and application information, triage vulnerabilities and -push findings to systems like JIRA and Slack. DefectDojo enriches and -refines vulnerability data using a number of heuristic algorithms that -improve with the more you use the platform. +[DefectDojo](https://www.defectdojo.com/) is a DevSecOps, ASPM (application security posture management), and vulnerability management tool. +DefectDojo ​​orchestrates end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting. ## Demo @@ -106,8 +101,10 @@ forthcoming v3 release. See the contributing guidelines below for more details. See our [Contributing guidelines](readme-docs/CONTRIBUTING.md) -## Commercial Support and Training -[Commercial support and training is availaible.](https://www.defectdojo.com/) For information please email info@defectdojo.com. +## Pro Edition +[Upgrade to DefectDojo Pro](https://www.defectdojo.com/pricing) today to take your DevSecOps to 11. DefectDojo Pro is designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional smart features, tunable deduplication, and support from DevSecOps experts. + +Alternatively, for information please email info@defectdojo.com ## About Us @@ -139,4 +136,4 @@ Please report Security issues via our [disclosure policy](readme-docs/SECURITY.m ## License -DefectDojo is licensed under the [BSD-3-Clause License](LICENSE.md) +DefectDojo is licensed under the [BSD 3-Clause License](LICENSE.md) From 0aafba044188c9aececa60d91a81486c4159b44d Mon Sep 17 00:00:00 2001 From: Charles Neill <1749665+cneill@users.noreply.github.com> Date: Wed, 29 Nov 2023 13:23:52 -0600 Subject: [PATCH 04/33] Fixing README links and formatting (#9022) * fixing up some links/etc * formatting * more formatting, links, etc * formatting table HTML * Fixing links * typo * formatting, links * typo; adding Aaron Weaver to hall of fame * reorganizing --- README.md | 143 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 84 insertions(+), 59 deletions(-) diff --git a/README.md b/README.md index 5dd6b22ccfe..296288dbe65 100644 --- a/README.md +++ b/README.md @@ -1,59 +1,70 @@ # DefectDojo - - - - + + + +
- Open Source Security Index - Fastest Growing Open Source Security Projects - -

OWASP Flagship GitHub release YouTube Subscribe Twitter Follow -

-

Unit TestsIntegration Tests CII Best Practices

-
+ + Open Source Security Index - Fastest Growing Open Source Security Projects + + +

+ OWASP Flagship + GitHub release + YouTube Subscribe + Twitter Follow +

+

+ Unit Tests + Integration Tests + CII Best Practices +

+
![Screenshot of DefectDojo](https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/dev/docs/static/images/screenshot1.png) -[DefectDojo](https://www.defectdojo.com/) is a DevSecOps, ASPM (application security posture management), and vulnerability management tool. -DefectDojo ​​orchestrates end-to-end security testing, vulnerability tracking, deduplication, remediation, and reporting. +[DefectDojo](https://www.defectdojo.com/) is a DevSecOps, ASPM (application security posture management), and +vulnerability management tool. DefectDojo orchestrates end-to-end security testing, vulnerability tracking, +deduplication, remediation, and reporting. ## Demo -Try out the demo server at [demo.defectdojo.org](https://demo.defectdojo.org) +Try out DefectDojo on our demo server at [demo.defectdojo.org](https://demo.defectdojo.org) -Log in with `admin / 1Defectdojo@demo#appsec`. Please note that the demo is publicly accessible and regularly reset. Do not put sensitive data in the demo. +Log in with username `admin` and password `1Defectdojo@demo#appsec`. Please note that the demo is publicly accessible +and regularly reset. Do not put sensitive data in the demo. ## Quick Start for Compose V2 + From July 2023 Compose V1 [stopped receiving updates](https://docs.docker.com/compose/reference/). -Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using `docker compose`, instead of `docker-compose`. +Compose V2 integrates compose functions into the Docker platform, continuing to support most of the previous +docker-compose features and flags. You can run Compose V2 by replacing the hyphen (-) with a space, using +`docker compose` instead of `docker-compose`. ```sh +# Clone the project git clone https://github.com/DefectDojo/django-DefectDojo cd django-DefectDojo -# building + +# Building Docker images ./dc-build.sh -# running (for other profiles besides postgres-redis look at https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md) + +# Run the application (for other profiles besides postgres-redis see +# https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md) ./dc-up.sh postgres-redis -# obtain admin credentials. the initializer can take up to 3 minutes to run -# use docker-compose logs -f initializer to track progress + +# Obtain admin credentials. The initializer can take up to 3 minutes to run. +# Use docker compose logs -f initializer to track its progress. docker compose logs initializer | grep "Admin password:" ``` + ## For Docker Compose V1 -You can run Compose V1 by editing the below files to add the hyphen (-) between `docker compose`. + +You can run Compose V1 by editing the files below to add the hyphen (-) between `docker compose`. ```sh dc-build.sh dc-down.sh @@ -66,17 +77,18 @@ You can run Compose V1 by editing the below files to add the hyphen (-) between docker/setEnv.sh ``` - -Navigate to . - +Navigate to `http://localhost:8080` to see your new instance! ## Documentation -- [Official Docs](https://documentation.defectdojo.com/) ([latest](https://documentation.defectdojo.com/) | [dev](https://documentation.defectdojo.com/dev)) -- [REST APIs](https://documentation.defectdojo.com/integrations/api-v2-docs/) -- [Client APIs and Wrappers](https://documentation.defectdojo.com/integrations/api-v2-docs/#clients--api-wrappers) -- [Authentication Options](readme-docs/AVAILABLE-PLUGINS.md) -- [Parsers](https://documentation.defectdojo.com/integrations/parsers/) +* [Official Docs](https://documentation.defectdojo.com/) + * [Docs for our `dev` branch](https://documentation.defectdojo.com/dev/) +* [REST APIs](https://documentation.defectdojo.com/integrations/api-v2-docs/) +* [Client APIs and Wrappers](https://documentation.defectdojo.com/integrations/api-v2-docs/#clients--api-wrappers) +* Authentication options: + * [OAuth2/SAML2](https://documentation.defectdojo.com/integrations/social-authentication/) + * [LDAP](https://documentation.defectdojo.com/integrations/ldap-authentication/) +* [Supported tools](https://documentation.defectdojo.com/integrations/parsers/) ## Supported Installation Options @@ -86,49 +98,62 @@ Navigate to . ## Community, Getting Involved, and Updates -[Slack](https://owasp-slack.herokuapp.com/) +[Slack](https://owasp.org/slack/invite) [LinkedIn](https://www.linkedin.com/company/defectdojo) [Twitter](https://twitter.com/defectdojo) [Youtube](https://www.youtube.com/channel/UCWw9qzqptiIvTqSqhOFuCuQ) -[Join the slack community](https://owasp.org/slack/invite) and discussion! Realtime discussion is done in the OWASP Slack Channel, #defectdojo. -Follow DefectDojo on [Twitter](https://twitter.com/defectdojo), [Linkedin](https://www.linkedin.com/company/defectdojo), and [YouTube](https://www.youtube.com/channel/UCWw9qzqptiIvTqSqhOFuCuQ) for project updates! +[Join the OWASP Slack community](https://owasp.org/slack/invite) and participate in the discussion! You can find us in +our channel there, [#defectdojo](https://owasp.slack.com/channels/defectdojo). Follow DefectDojo on +[Twitter](https://twitter.com/defectdojo), [LinkedIn](https://www.linkedin.com/company/defectdojo), and +[YouTube](https://www.youtube.com/channel/UCWw9qzqptiIvTqSqhOFuCuQ) for project updates! ## Contributing -:warning: Please note that DefectDojo will soon stop accepting new features to stabilize the API and data model for a -forthcoming v3 release. See the contributing guidelines below for more details. :warning: - -See our [Contributing guidelines](readme-docs/CONTRIBUTING.md) +:warning: We have instituted a [feature freeze](https://github.com/DefectDojo/django-DefectDojo/discussions/8002) on v2 +of DefectDojo as we begin work on v3. Please see our [contributing guidelines](readme-docs/CONTRIBUTING.md) for more +information. Check out our latest update on v3 [here](https://github.com/DefectDojo/django-DefectDojo/discussions/8974). ## Pro Edition -[Upgrade to DefectDojo Pro](https://www.defectdojo.com/pricing) today to take your DevSecOps to 11. DefectDojo Pro is designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional smart features, tunable deduplication, and support from DevSecOps experts. +[Upgrade to DefectDojo Pro](https://www.defectdojo.com/pricing) today to take your DevSecOps to 11. DefectDojo Pro is +designed to meet you wherever you are on your security journey and help you scale, with enhanced dashboards, additional +smart features, tunable deduplication, and support from DevSecOps experts. Alternatively, for information please email info@defectdojo.com ## About Us DefectDojo is maintained by: -* Greg Anderson ([@devGregA](https://github.com/devgrega) | [linkedin](https://www.linkedin.com/in/g-anderson/)) -* Matt Tesauro ([@mtesauro](https://github.com/mtesauro) | [linkedin](https://www.linkedin.com/in/matttesauro/) | [@matt_tesauro](https://twitter.com/matt_tesauro)) +* Greg Anderson ([@devGregA](https://github.com/devgrega) | [LinkedIn](https://www.linkedin.com/in/g-anderson/)) +* Matt Tesauro ([@mtesauro](https://github.com/mtesauro) | [LinkedIn](https://www.linkedin.com/in/matttesauro/) | + [@matt_tesauro](https://twitter.com/matt_tesauro)) Core Moderators can help you with pull requests or feedback on dev ideas: -* Cody Maffucci ([@Maffooch](https://github.com/maffooch) | [linkedin](https://www.linkedin.com/in/cody-maffucci)) +* Cody Maffucci ([@Maffooch](https://github.com/maffooch) | [LinkedIn](https://www.linkedin.com/in/cody-maffucci)) Moderators can help you with pull requests or feedback on dev ideas: -* Damien Carol ([@damnielcarol](https://github.com/damiencarol) | [linkedin](https://www.linkedin.com/in/damien-carol/)) +* Damien Carol ([@damiencarol](https://github.com/damiencarol) | [LinkedIn](https://www.linkedin.com/in/damien-carol/)) * Jannik Jürgens ([@alles-klar](https://github.com/alles-klar)) * Dubravko Sever ([@dsever](https://github.com/dsever)) - +* Charles Neill ([@cneill](https://github.com/cneill) | [@ccneill](https://twitter.com/ccneill)) +* Jay Paz ([@jjpaz](https://twitter.com/jjpaz)) +* Blake Owens ([@blakeaowens](https://github.com/blakeaowens)) ## Hall of Fame -* Valentijn Scholten ([@valentijnscholten](https://github.com/valentijnscholten) | [sponsor](https://github.com/sponsors/valentijnscholten) | [linkedin](https://www.linkedin.com/in/valentijn-scholten/)) - Valentijn served as a core moderator for 3 years. Valentijn’s contributions were numerous and extensive. He overhauled, improved, and optimized many parts of the codebase. He consistently fielded questions, provided feedback on pull requests, and provided a helping hand wherever it was needed. -* Fred Blaise ([@madchap](https://github.com/madchap) | [linkedin](https://www.linkedin.com/in/fredblaise/)) - Fred served as a core moderator during a critical time for DefectDojo. He contributed code, helped the team stay organized, and architected important policies and procedures. -* Charles Neill ([@ccneill](https://twitter.com/ccneill)) – Charles served as a - DefectDojo Maintainer for years and wrote some of Dojo's core functionality. -* Jay Paz ([@jjpaz](https://twitter.com/jjpaz)) – Jay was a DefectDojo - maintainer for years. He performed Dojo's first UI overhaul, optimized code structure/features, and added numerous enhancements. +* Valentijn Scholten ([@valentijnscholten](https://github.com/valentijnscholten) | + [Sponsor](https://github.com/sponsors/valentijnscholten) | + [LinkedIn](https://www.linkedin.com/in/valentijn-scholten/)) - Valentijn served as a core moderator for 3 years. + Valentijn’s contributions were numerous and extensive. He overhauled, improved, and optimized many parts of the + codebase. He consistently fielded questions, provided feedback on pull requests, and provided a helping hand wherever + it was needed. +* Fred Blaise ([@madchap](https://github.com/madchap) | [LinkedIn](https://www.linkedin.com/in/fredblaise/)) - Fred + served as a core moderator during a critical time for DefectDojo. He contributed code, helped the team stay organized, + and architected important policies and procedures. +* Aaron Weaver ([@aaronweaver](https://github.com/aaronweaver) | [LinkedIn](https://www.linkedin.com/in/aweaver/)) - + Aaron has been a long time contributor and user of DefectDojo. He did the second major UI overhaul and his + contributions include automation enhancements, CI/CD engagements, increased metadata at the product level, and many + more. ## Security From 46928f8f1096787b35223cae69e64e516da018f1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 Nov 2023 11:22:36 -0600 Subject: [PATCH 05/33] Bump python-gitlab from 3.15.0 to 4.2.0 (#9064) Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 3.15.0 to 4.2.0. - [Release notes](https://github.com/python-gitlab/python-gitlab/releases) - [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md) - [Commits](https://github.com/python-gitlab/python-gitlab/compare/v3.15.0...v4.2.0) --- updated-dependencies: - dependency-name: python-gitlab dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b6d1da137c3..f598f76ca2f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -55,7 +55,7 @@ social-auth-core==4.5.0 Python-jose==3.3.0 gitpython==3.1.40 debugpy==1.8.0 -python-gitlab==3.15.0 +python-gitlab==4.2.0 drf_yasg==1.21.5 cpe==1.2.1 packageurl-python==0.11.2 From c0de28cd2e8090abcfe4e8474d5c491e19377b17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 Nov 2023 11:27:26 -0600 Subject: [PATCH 06/33] Bump fontawesomefree from 6.4.2 to 6.5.0 (#9074) Bumps [fontawesomefree](https://github.com/FortAwesome/Font-Awesome) from 6.4.2 to 6.5.0. - [Release notes](https://github.com/FortAwesome/Font-Awesome/releases) - [Changelog](https://github.com/FortAwesome/Font-Awesome/blob/6.x/CHANGELOG.md) - [Commits](https://github.com/FortAwesome/Font-Awesome/compare/6.4.2...6.5.0) --- updated-dependencies: - dependency-name: fontawesomefree dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f598f76ca2f..c1d5917dce5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -81,4 +81,4 @@ pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support boto3==1.29.7 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 -fontawesomefree==6.4.2 +fontawesomefree==6.5.0 From f8426ef4bc333b38721f29fb4bd684f7b05f3813 Mon Sep 17 00:00:00 2001 From: manuelsommer <47991713+manuel-sommer@users.noreply.github.com> Date: Thu, 30 Nov 2023 18:36:49 +0100 Subject: [PATCH 07/33] :tada: added humble #8988 (#8989) * :tada: added humble * fixed humble * added endpoints * fix according to comment * fix according to review * update * added deduplication setting * fix --- .../en/integrations/parsers/file/humble.md | 6 ++ dojo/settings/settings.dist.py | 2 + dojo/tools/humble/__init__.py | 1 + dojo/tools/humble/parser.py | 61 +++++++++++++++++++ unittests/scans/humble/many_findings.json | 54 ++++++++++++++++ unittests/scans/humble/many_findings2.json | 49 +++++++++++++++ unittests/tools/test_humble_parser.py | 36 +++++++++++ 7 files changed, 209 insertions(+) create mode 100644 docs/content/en/integrations/parsers/file/humble.md create mode 100644 dojo/tools/humble/__init__.py create mode 100644 dojo/tools/humble/parser.py create mode 100644 unittests/scans/humble/many_findings.json create mode 100644 unittests/scans/humble/many_findings2.json create mode 100644 unittests/tools/test_humble_parser.py diff --git a/docs/content/en/integrations/parsers/file/humble.md b/docs/content/en/integrations/parsers/file/humble.md new file mode 100644 index 00000000000..56c3f73b52e --- /dev/null +++ b/docs/content/en/integrations/parsers/file/humble.md @@ -0,0 +1,6 @@ +--- +title: "Humble Report" +toc_hide: true +--- +Import JSON report of the Humble scanner + \ No newline at end of file diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 5a8054a557e..5c059e370d2 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1263,6 +1263,7 @@ def saml2_attrib_map_format(dict): 'KubeHunter Scan': ['title', 'description'], 'kube-bench Scan': ['title', 'vuln_id_from_tool', 'description'], 'Threagile risks report': ['title', 'cwe', "severity"], + 'Humble Json Importer': ['title'], } # Override the hardcoded settings here via the env var @@ -1464,6 +1465,7 @@ def saml2_attrib_map_format(dict): 'KubeHunter Scan': DEDUPE_ALGO_HASH_CODE, 'kube-bench Scan': DEDUPE_ALGO_HASH_CODE, 'Threagile risks report': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, + 'Humble Json Importer': DEDUPE_ALGO_HASH_CODE, } # Override the hardcoded settings here via the env var diff --git a/dojo/tools/humble/__init__.py b/dojo/tools/humble/__init__.py new file mode 100644 index 00000000000..99e8e118c6a --- /dev/null +++ b/dojo/tools/humble/__init__.py @@ -0,0 +1 @@ +__author__ = "manuel_sommer" diff --git a/dojo/tools/humble/parser.py b/dojo/tools/humble/parser.py new file mode 100644 index 00000000000..689ce080187 --- /dev/null +++ b/dojo/tools/humble/parser.py @@ -0,0 +1,61 @@ +import json +from dojo.models import Finding, Endpoint + + +class HumbleParser(object): + """Humble (https://github.com/rfc-st/humble)""" + + def get_scan_types(self): + return ["Humble Json Importer"] + + def get_label_for_scan_types(self, scan_type): + return scan_type # no custom label for now + + def get_description_for_scan_types(self, scan_type): + return "JSON output of Humble scan." + + def get_findings(self, filename, test): + items = [] + try: + data = json.load(filename) + except ValueError as err: + data = {} + if data != {}: + url = data['[0. Info]']['URL'] + for content in data['[1. Missing HTTP Security Headers]']: + if content != "Nothing to report, all seems OK!": + finding = Finding(title="Missing header: " + str(content), + description="This security Header is missing: " + content, + severity="Medium", + static_finding=False, + dynamic_finding=True) + items.append(finding) + finding.unsaved_endpoints = [Endpoint.from_uri(url)] + for content in data['[2. Fingerprint HTTP Response Headers]']: + if content != "Nothing to report, all seems OK!": + finding = Finding(title="Available fingerprint:" + str(content), + description="This fingerprint HTTP Response Header is available. Please remove it: " + content, + severity="Medium", + static_finding=False, + dynamic_finding=True) + items.append(finding) + finding.unsaved_endpoints = [Endpoint.from_uri(url)] + for content in data['[3. Deprecated HTTP Response Headers/Protocols and Insecure Values]']: + if content != "Nothing to report, all seems OK!": + finding = Finding(title="Deprecated header: " + str(content), + description="This deprecated HTTP Response Header is available. Please remove it: " + content, + severity="Medium", + static_finding=False, + dynamic_finding=True) + items.append(finding) + finding.unsaved_endpoints = [Endpoint.from_uri(url)] + for content in data['[4. Empty HTTP Response Headers Values]']: + if content != "Nothing to report, all seems OK!": + finding = Finding(title="Empty HTTP response header: " + str(content), + description="This empty HTTP Response Header value is available. Please remove it: " + content, + severity="Medium", + static_finding=False, + dynamic_finding=True) + items.append(finding) + finding.unsaved_endpoints = [Endpoint.from_uri(url)] + return items diff --git a/unittests/scans/humble/many_findings.json b/unittests/scans/humble/many_findings.json new file mode 100644 index 00000000000..82a81611939 --- /dev/null +++ b/unittests/scans/humble/many_findings.json @@ -0,0 +1,54 @@ +{ + "[0. Info]": { + "Date": "2023/11/13 - 09:20:17", + "URL": "https://asdf.asf.hs" + }, + "[HTTP Response Headers]": { + "Cache-Control": "no-store, no-cache, must-revalidate, post-check=0, pre-check=0", + "Connection": "Keep-Alive", + "Content-Security-Policy": "script-src 'self';", + "Content-Type": "text/html; charset=utf-8", + "Date": "Mon, 13 Nov 2023 08:20:19 GMT", + "Expires": "Wed, 17 Aug 2005 00:00:00 GMT", + "Keep-Alive": "timeout=5, max=100", + "Last-Modified": "Mon, 13 Nov 2023 08:20:19 GMT", + "Permissions-Policy": "interest-cohort=()", + "Pragma": "no-cache", + "Referrer-Policy": "strict-origin", + "Strict-Transport-Security": "max-age=31536000; includeSubDomain$", + "Transfer-Encoding": "chunked", + "Vary": "Accept-Encoding", + "X-Content-Type-Options": "nosniff", + "X-Frame-Options": "sameorigin", + "X-XSS-Protection": "1; mode=block" + }, + "[1. Missing HTTP Security Headers]": [ + "Clear-Site-Data", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "NEL", + "X-Permitted-Cross-Domain-Policies" + ], + "[2. Fingerprint HTTP Response Headers]": [ + "Nothing to report, all seems OK!" + ], + "[3. Deprecated HTTP Response Headers/Protocols and Insecure Values]": [ + "Pragma (Deprecated Header)", + "Strict-Transport-Security (Recommended Values)", + "X-XSS-Protection (Unsafe Value)" + ], + "[4. Empty HTTP Response Headers Values]": [ + "Nothing to report, all seems OK!" + ], + "[5. Browser Compatibility for Enabled HTTP Security Headers]": { + "Cache-Control": "https://caniuse.com/?search=Cache-Control", + "Content-Type": "https://caniuse.com/?search=Content-Type", + "Content-Security-Policy": "https://caniuse.com/?search=contentsecuritypolicy2", + "Permissions-Policy": "https://caniuse.com/?search=Permissions-Policy", + "Referrer-Policy": "https://caniuse.com/?search=Referrer-Policy", + "Strict-Transport-Security": "https://caniuse.com/?search=Strict-Transport-Security", + "X-Content-Type-Options": "https://caniuse.com/?search=X-Content-Type-Options", + "X-Frame-Options": "https://caniuse.com/?search=X-Frame-Options" + } +} \ No newline at end of file diff --git a/unittests/scans/humble/many_findings2.json b/unittests/scans/humble/many_findings2.json new file mode 100644 index 00000000000..68f60db55a9 --- /dev/null +++ b/unittests/scans/humble/many_findings2.json @@ -0,0 +1,49 @@ +{ + "[0. Info]": { + "Date": "2023/11/15 - 08:42:38", + "URL": "http://testestset.com" + }, + "[HTTP Response Headers]": { + "CF-Cache-Status": "DYNAMIC", + "CF-RAY": "8265dbd49d362bde-FRA", + "Cache-Control": "no-store, private", + "Connection": "keep-alive", + "Content-Encoding": "gzip", + "Content-Type": "text/html; charset=UTF-8", + "Date": "Wed, 15 Nov 2023 07:42:39 GMT", + "Transfer-Encoding": "chunked", + "Vary": "Accept-Encoding", + "X-Content-Type-Options": "nosniff", + "X-UA-Compatible": "IE=edge" + }, + "[1. Missing HTTP Security Headers]": [ + "Clear-Site-Data", + "Cross-Origin-Embedder-Policy", + "Cross-Origin-Opener-Policy", + "Cross-Origin-Resource-Policy", + "Content-Security-Policy", + "NEL", + "Permissions-Policy", + "Referrer-Policy", + "Strict-Transport-Security", + "X-Permitted-Cross-Domain-Policies", + "X-Frame-Options" + ], + "[2. Fingerprint HTTP Response Headers]": [ + "Cf-Cache-Status", + "Cf-Ray", + "Server" + ], + "[3. Deprecated HTTP Response Headers/Protocols and Insecure Values]": [ + "Cache-Control (Recommended Values)", + "X-UA-compatible (Deprecated Header)" + ], + "[4. Empty HTTP Response Headers Values]": [ + "Nothing to report, all seems OK!" + ], + "[5. Browser Compatibility for Enabled HTTP Security Headers]": { + "Cache-Control": "https://caniuse.com/?search=Cache-Control", + "Content-Type": "https://caniuse.com/?search=Content-Type", + "X-Content-Type-Options": "https://caniuse.com/?search=X-Content-Type-Options" + } +} \ No newline at end of file diff --git a/unittests/tools/test_humble_parser.py b/unittests/tools/test_humble_parser.py new file mode 100644 index 00000000000..ccd99d44373 --- /dev/null +++ b/unittests/tools/test_humble_parser.py @@ -0,0 +1,36 @@ +from dojo.tools.humble.parser import HumbleParser +from dojo.models import Test +from unittests.dojo_test_case import DojoTestCase + + +class TestHumbleParser(DojoTestCase): + def test_humble_parser_with_many_findings(self): + testfile = open("unittests/scans/humble/many_findings.json") + parser = HumbleParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + testfile.close() + self.assertEqual(9, len(findings)) + finding = findings[0] + self.assertEqual(finding.unsaved_endpoints[0].host, "asdf.asf.hs") + self.assertEqual("Missing header: Clear-Site-Data", finding.title) + finding = findings[7] + self.assertEqual("Deprecated header: Strict-Transport-Security (Recommended Values)", finding.title) + + def test_humble_parser_with_many_findings2(self): + testfile = open("unittests/scans/humble/many_findings2.json") + parser = HumbleParser() + findings = parser.get_findings(testfile, Test()) + for finding in findings: + for endpoint in finding.unsaved_endpoints: + endpoint.clean() + testfile.close() + self.assertEqual(16, len(findings)) + finding = findings[0] + self.assertEqual(finding.unsaved_endpoints[0].host, "testestset.com") + self.assertEqual("Missing header: Clear-Site-Data", finding.title) + finding = findings[7] + self.assertEqual("Missing header: Referrer-Policy", finding.title) + self.assertEqual("This security Header is missing: Referrer-Policy", finding.description) From f503320e4e00d533157e47706ef6b6a616755f66 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 Nov 2023 11:58:51 -0600 Subject: [PATCH 08/33] Bump social-auth-core from 4.5.0 to 4.5.1 (#9073) Bumps [social-auth-core](https://github.com/python-social-auth/social-core) from 4.5.0 to 4.5.1. - [Release notes](https://github.com/python-social-auth/social-core/releases) - [Changelog](https://github.com/python-social-auth/social-core/blob/master/CHANGELOG.md) - [Commits](https://github.com/python-social-auth/social-core/compare/4.5.0...4.5.1) --- updated-dependencies: - dependency-name: social-auth-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index c1d5917dce5..04627113ad5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -51,7 +51,7 @@ vobject==0.9.6.1 whitenoise==5.2.0 titlecase==2.4.1 social-auth-app-django==5.4.0 -social-auth-core==4.5.0 +social-auth-core==4.5.1 Python-jose==3.3.0 gitpython==3.1.40 debugpy==1.8.0 From 12c20c41921c6d5332e44cfeb0f5b597dfe1ae8a Mon Sep 17 00:00:00 2001 From: Manuel Venega <127304555+veneber@users.noreply.github.com> Date: Thu, 30 Nov 2023 20:45:44 +0100 Subject: [PATCH 09/33] Adding subcomponent labels for celery beat and worker (#9078) --- helm/defectdojo/templates/celery-beat-deployment.yaml | 1 + helm/defectdojo/templates/celery-worker-deployment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/helm/defectdojo/templates/celery-beat-deployment.yaml b/helm/defectdojo/templates/celery-beat-deployment.yaml index 82b6632b199..605e41b5b92 100644 --- a/helm/defectdojo/templates/celery-beat-deployment.yaml +++ b/helm/defectdojo/templates/celery-beat-deployment.yaml @@ -5,6 +5,7 @@ metadata: name: {{ $fullName }}-celery-beat labels: defectdojo.org/component: celery + defectdojo.org/subcomponent: beat app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} diff --git a/helm/defectdojo/templates/celery-worker-deployment.yaml b/helm/defectdojo/templates/celery-worker-deployment.yaml index e67497bd302..b6ca15e687a 100644 --- a/helm/defectdojo/templates/celery-worker-deployment.yaml +++ b/helm/defectdojo/templates/celery-worker-deployment.yaml @@ -5,6 +5,7 @@ metadata: name: {{ $fullName }}-celery-worker labels: defectdojo.org/component: celery + defectdojo.org/subcomponent: worker app.kubernetes.io/name: {{ include "defectdojo.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} From e2885d58b6f3d4b22cc5b0b2a6583797b4608515 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 13:44:17 -0600 Subject: [PATCH 10/33] Update rabbitmq Docker tag from 3.12.9 to v3.12.10 (docker-compose.yml) (#9075) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 8da8ddf250c..26451ced8c2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -149,7 +149,7 @@ services: volumes: - defectdojo_postgres:/var/lib/postgresql/data rabbitmq: - image: rabbitmq:3.12.9-alpine@sha256:801dbe7ad31edd693418cfd6adf5294773b140a76ac43fa27637b702b51b98a5 + image: rabbitmq:3.12.10-alpine@sha256:d3e61b5e0abb91c088482dc969b8ce2d611f718fcc751a3f8cb8fa2df69da200 profiles: - mysql-rabbitmq - postgres-rabbitmq From 55f5573688aff50b33308a73a98fb751ff8c7755 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:51:55 -0600 Subject: [PATCH 11/33] Update postgres:16.1-alpine Docker digest from 16.1 to 16.1-alpine (docker-compose.yml) (#9082) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 26451ced8c2..f6db7653259 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -138,7 +138,7 @@ services: volumes: - defectdojo_data:/var/lib/mysql postgres: - image: postgres:16.1-alpine@sha256:bebdbe026fbb097684cc853e1a259b8c8b385e06ffc9873b4f76c5ae5d596257 + image: postgres:16.1-alpine@sha256:b5b982f51f46f10cfc81bbd9f922692a9b1b6aac3955d7dda2c7733f8ca5bf09 profiles: - postgres-rabbitmq - postgres-redis From 4b80f78d62ee8056fd9d8846e6703286b191f89d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:52:39 -0600 Subject: [PATCH 12/33] Update redis:7.2.3-alpine Docker digest from 7.2.3 to 7.2.3-alpine (docker-compose.yml) (#9083) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index f6db7653259..d083704af3a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -156,7 +156,7 @@ services: volumes: - defectdojo_rabbitmq:/var/lib/rabbitmq redis: - image: redis:7.2.3-alpine@sha256:6a7b3c6e3a6854424d96953172cac1ca97f0fc90094bcc479f3949e29bb053af + image: redis:7.2.3-alpine@sha256:3ce533b2b057f74b235d1d8697ae08b1b6ff0a5e16827ea6a377b6365693c7ed profiles: - mysql-redis - postgres-redis From e8bad94d3c53ead4edb37a4f810ac99ca297f497 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:54:15 -0600 Subject: [PATCH 13/33] Bump boto3 from 1.29.7 to 1.33.5 (#9085) Bumps [boto3](https://github.com/boto/boto3) from 1.29.7 to 1.33.5. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.29.7...1.33.5) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 04627113ad5..83896cb1d2b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -78,7 +78,7 @@ django-ratelimit==4.1.0 argon2-cffi==23.1.0 blackduck==1.1.0 pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support -boto3==1.29.7 # Required for Celery Broker AWS (SQS) support +boto3==1.33.5 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 fontawesomefree==6.5.0 From 0a589373e538c36da4583dac9f3bc7bde76eed0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 15:55:32 -0600 Subject: [PATCH 14/33] Bump fontawesomefree from 6.5.0 to 6.5.1 (#9086) Bumps [fontawesomefree](https://github.com/FortAwesome/Font-Awesome) from 6.5.0 to 6.5.1. - [Release notes](https://github.com/FortAwesome/Font-Awesome/releases) - [Changelog](https://github.com/FortAwesome/Font-Awesome/blob/6.x/CHANGELOG.md) - [Commits](https://github.com/FortAwesome/Font-Awesome/compare/6.5.0...6.5.1) --- updated-dependencies: - dependency-name: fontawesomefree dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 83896cb1d2b..481c6f6fa59 100644 --- a/requirements.txt +++ b/requirements.txt @@ -81,4 +81,4 @@ pycurl==7.45.2 # Required for Celery Broker AWS (SQS) support boto3==1.33.5 # Required for Celery Broker AWS (SQS) support netaddr==0.8.0 vulners==2.1.1 -fontawesomefree==6.5.0 +fontawesomefree==6.5.1 From cd83b007f205788ded0063257275c4b4c04e2e70 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 1 Dec 2023 16:17:29 -0600 Subject: [PATCH 15/33] Add logging statement for failed password reset validation logic (#9087) --- docker/entrypoint-uwsgi-dev.sh | 2 +- dojo/user/views.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docker/entrypoint-uwsgi-dev.sh b/docker/entrypoint-uwsgi-dev.sh index 0cf7e9bfae6..587452cd0f6 100755 --- a/docker/entrypoint-uwsgi-dev.sh +++ b/docker/entrypoint-uwsgi-dev.sh @@ -8,7 +8,7 @@ cd /app DD_UWSGI_LOGFORMAT_DEFAULT='[pid: %(pid)|app: -|req: -/-] %(addr) (%(dd_user)) {%(vars) vars in %(pktsize) bytes} [%(ctime)] %(method) %(uri) => generated %(rsize) bytes in %(msecs) msecs (%(proto) %(status)) %(headers) headers in %(hsize) bytes (%(switches) switches on core %(core))' -if [ ${DD_DEBUG} == "True" ]; then +if [ ${DD_DEBUG} = "True" ]; then echo "Debug mode enabled, reducing # of processes and threads to 1" DD_UWSGI_NUM_OF_PROCESSES=1 DD_UWSGI_NUM_OF_THREADS=1 diff --git a/dojo/user/views.py b/dojo/user/views.py index ca53c7c6f5d..ebbd6cad258 100644 --- a/dojo/user/views.py +++ b/dojo/user/views.py @@ -643,7 +643,8 @@ def clean(self): if isinstance(connection, EmailBackend): connection.open() connection.close() - except Exception: + except Exception as e: + logger.error(f"SMTP Server Connection Failure: {str(e)}") raise ValidationError("SMTP server is not configured correctly...") From 9ee0605767e41147a7e9299885a013c93f1b0402 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 1 Dec 2023 16:48:19 -0600 Subject: [PATCH 16/33] Finding Template: Correct save ordering (#9088) --- dojo/finding/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/finding/views.py b/dojo/finding/views.py index 3610ef405b8..1930835a666 100644 --- a/dojo/finding/views.py +++ b/dojo/finding/views.py @@ -2303,10 +2303,10 @@ def add_template(request): template.numerical_severity = Finding.get_numerical_severity( template.severity ) + template.save() finding_helper.save_vulnerability_ids_template( template, form.cleaned_data["vulnerability_ids"].split() ) - template.save() form.save_m2m() count = apply_cwe_mitigation( form.cleaned_data["apply_to_findings"], template From b8c8d9db122f7edeec6532558d5861a67d5755ae Mon Sep 17 00:00:00 2001 From: renejal <40049733+renejal@users.noreply.github.com> Date: Fri, 1 Dec 2023 21:09:04 -0500 Subject: [PATCH 17/33] Feature/parser jfrog xray binary scan (#9015) * new parser Jfrog Xray on Demand Binary Scan * new parser Jfrog Xray on Demand Binary Scan * delete blank line at end of file * rename function * More sample reports * Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/settings/settings.dist.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/settings/settings.dist.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * First round of Improvements * Drop duplicates in component_id and full_path * Process per component * Visual improvements * Use+clean summary in Title, fix dedup, parse version, drop useless functions * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * Update dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py Co-authored-by: kiblik * fix test rename class * Last Improvements and tests * capitalization skills --------- Co-authored-by: Tomas Kubla Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> Co-authored-by: kiblik --- .../file/jfrog_xray_on_demand_binary_scan.md | 9 + dojo/fixtures/defect_dojo_sample_data.json | 10 + dojo/settings/settings.dist.py | 2 + .../__init__.py | 0 .../parser.py | 190 + .../many_vulns.json | 111 + .../many_vulns_docker.json | 129 + .../many_vulns_pypi.json | 9130 +++++++++++++++++ .../one_vuln.json | 44 + ...jfrog_xray_on_demand_binary_scan_parser.py | 85 + 10 files changed, 9710 insertions(+) create mode 100644 docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md create mode 100644 dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py create mode 100644 dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json create mode 100644 unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json create mode 100644 unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py diff --git a/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md new file mode 100644 index 00000000000..2b877b1b04c --- /dev/null +++ b/docs/content/en/integrations/parsers/file/jfrog_xray_on_demand_binary_scan.md @@ -0,0 +1,9 @@ +--- +title: "JFrog Xray On Demand Binary Scan" +toc_hide: true +--- +Import the JSON format for the \"JFrog Xray On Demand Binary Scan\" file. Use this importer for Xray version 3.X +-- + JFrog file documentation: + +https://jfrog.com/help/r/jfrog-cli/on-demand-binary-scan diff --git a/dojo/fixtures/defect_dojo_sample_data.json b/dojo/fixtures/defect_dojo_sample_data.json index 3db55c5d9d2..27e0e202136 100644 --- a/dojo/fixtures/defect_dojo_sample_data.json +++ b/dojo/fixtures/defect_dojo_sample_data.json @@ -8620,6 +8620,16 @@ } }, { + "model": "dojo.test_type", + "pk": 149, + "fields": { + "name": "JFrog Xray On Demand Binary Scan", + "static_tool": false, + "dynamic_tool": false, + "active": true + } + }, + { "model": "dojo.tagulous_product_tags", "pk": 1, "fields": { diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 5c059e370d2..8d656e96f6c 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1226,6 +1226,7 @@ def saml2_attrib_map_format(dict): 'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'], 'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'], 'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'], + 'JFrog Xray On Demand Binary Scan': ["title", "component_name", "component_version"], 'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'], # for now we use file_path as there is no attribute for "service" 'AWS Security Hub Scan': ['unique_id_from_tool'], 'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'], @@ -1423,6 +1424,7 @@ def saml2_attrib_map_format(dict): 'Checkov Scan': DEDUPE_ALGO_HASH_CODE, 'SpotBugs Scan': DEDUPE_ALGO_HASH_CODE, 'JFrog Xray Unified Scan': DEDUPE_ALGO_HASH_CODE, + 'JFrog Xray On Demand Binary Scan': DEDUPE_ALGO_HASH_CODE, 'Scout Suite Scan': DEDUPE_ALGO_HASH_CODE, 'AWS Security Hub Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'Meterian Scan': DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py new file mode 100644 index 00000000000..b6901c289c1 --- /dev/null +++ b/dojo/tools/jfrog_xray_on_demand_binary_scan/parser.py @@ -0,0 +1,190 @@ +import json +import re + +from cvss import CVSS3 + +from dojo.models import Finding + + +class JFrogXrayOnDemandBinaryScanParser(object): + """jfrog_xray_scan JSON reports""" + + def get_scan_types(self): + return ["JFrog Xray On Demand Binary Scan"] + + def get_label_for_scan_types(self, scan_type): + return scan_type + + def get_description_for_scan_types(self, scan_type): + return "Import Xray findings in JSON format." + + def get_findings(self, json_output, test): + tree = json.load(json_output) + return self.get_items(tree) + + def get_items(self, tree): + items = {} + for data in tree: + if "vulnerabilities" in data: + vulnerability_tree = data["vulnerabilities"] + + for node in vulnerability_tree: + item_set = get_item_set(node) + + for item in item_set: + unique_key = item.title + item.component_name + item.component_version + items[unique_key] = item + + return list(items.values()) + + +def get_component_name_version(name): + match = re.match(r"([a-z]+://[a-z\d\.:]+):([a-z\d\.\-]+)", name, re.IGNORECASE) + if match is None: + return name, "" + return match[1], match[2] + + +def get_severity(vulnerability): + if "severity" in vulnerability: + if vulnerability["severity"] == "Unknown": + severity = "Info" + else: + severity = vulnerability["severity"].title() + else: + severity = "Info" + return severity + + +def get_references(vulnerability): + if "references" in vulnerability: + ref = "" + references = vulnerability["references"] + for reference in references: + if reference[:2] == "- ": + ref += reference + "\n" + else: + ref += "- " + reference + "\n" + return ref + else: + return None + + +def get_remediation(extended_information): + remediation = "" + if "remediation" in extended_information: + remediation = "\n\n**Remediation**\n" + remediation += extended_information["remediation"] + "\n" + return remediation + + +def get_severity_justification(vulnerability): + severity_desc = "" + remediation = "" + extended_information = vulnerability.get("extended_information") + if extended_information: + remediation += get_remediation(extended_information) + if "short_description" in extended_information: + severity_desc += "**Short description**\n" + severity_desc += extended_information["short_description"] + "\n" + if "full_description" in extended_information: + severity_desc += "**Full description**\n" + severity_desc += extended_information["full_description"] + "\n" + if "jfrog_research_severity" in extended_information: + severity_desc += "**JFrog research severity**\n" + severity_desc += extended_information["jfrog_research_severity"] + "\n" + if "jfrog_research_severity_reasons" in extended_information: + severity_desc += "**JFrog research severity reasons**\n" + for item in extended_information["jfrog_research_severity_reasons"]: + severity_desc += item["name"] + "\n" if item.get("name") else "" + severity_desc += item["description"] + "\n" if item.get("description") else "" + severity_desc += "_Is positive:_ " + str(item["is_positive"]).lower() + "\n" if item.get("is_positive") else "" + return severity_desc, remediation + + +def process_component(component): + mitigation = "" + impact = "**Impact paths**\n\n- " + fixed_versions = component.get("fixed_versions") + if fixed_versions: + mitigation = "**Versions containing a fix:**\n\n- " + mitigation = mitigation + "\n- ".join(fixed_versions) + if "impact_paths" in component: + refs = [] + impact_paths_l1 = component["impact_paths"] + for impact_paths_l2 in impact_paths_l1: + for item in impact_paths_l2: + if "component_id" in item: + refs.append(item["component_id"]) + if "full_path" in item: + refs.append(item["full_path"]) + if refs: + impact += "\n- ".join(sorted(set(refs))) # deduplication + return mitigation, impact + + +def get_cve(vulnerability): + if "cves" in vulnerability: + cves = vulnerability["cves"] + return cves + return [] + + +def get_vuln_id_from_tool(vulnerability): + if "issue_id" in vulnerability: + return vulnerability["issue_id"] + return None + + +def clean_title(title): + if title.startswith("Issue summary: "): + title = title[len("Issue summary: "):] + if '\n' in title: + title = title[:title.index('\n')] + return title + + +def get_item_set(vulnerability): + item_set = [] + severity_justification, remediation = get_severity_justification(vulnerability) + severity = get_severity(vulnerability) + references = get_references(vulnerability) + vuln_id_from_tool = get_vuln_id_from_tool(vulnerability) + vulnerability_ids = list() + cvssv3 = None + cvss_v3 = "No CVSS v3 score." + # Some entries have no CVE entries, despite they exist. Example CVE-2017-1000502. + cves = get_cve(vulnerability) + if len(cves) > 0: + for item in cves: + if item.get("cve"): + vulnerability_ids.append(item.get("cve")) + if "cvss_v3_vector" in cves[0]: + cvss_v3 = cves[0]["cvss_v3_vector"] + cvssv3 = CVSS3(cvss_v3).clean_vector() + + for component_name, component in vulnerability.get("components", {}).items(): + component_name, component_version = get_component_name_version(component_name) + mitigation, impact = process_component(component) + + title = clean_title(vulnerability["summary"]) + # create the finding object + finding = Finding( + title=title, + severity_justification=severity_justification or None, + severity=severity, + description=(vulnerability["summary"]).strip(), + mitigation=(mitigation + remediation) or None, + component_name=component_name, + component_version=component_version, + impact=impact or None, + references=references or None, + static_finding=True, + dynamic_finding=False, + cvssv3=cvssv3, + vuln_id_from_tool=vuln_id_from_tool, + ) + if vulnerability_ids: + finding.unsaved_vulnerability_ids = vulnerability_ids + item_set.append(finding) + return item_set diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json new file mode 100644 index 00000000000..be534784f7f --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json @@ -0,0 +1,111 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2017-8923", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Summary of test", + "severity": "High", + "components": { + "gav://org.yaml:snakeyaml:1.16": { + "fixed_versions": [ + "[1.26]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.com" + }, + { + "component_id": "gav://co.com.test.com", + "full_path": "lib/snakeyaml-1.16.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-92904", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "test_item": { + "fixed_versions": [ + "[1.2.8.RELEASE]", + "[1.3.1.RELEASE]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test.com.co", + "full_path": "lib/test/libtest" + } + ] + ] + } + }, + "issue_id": "XRAY-79870", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json new file mode 100644 index 00000000000..4af60fa95db --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json @@ -0,0 +1,129 @@ +[ + { + "scan_id": "2c4c3ae7-d57d-4bf0-5afa-f191b309a2e2", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2023-3446" + } + ], + "summary": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "severity": "Unknown", + "components": { + "alpine://3.18:libcrypto3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r3]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libcrypto3:3.1.1-r1", + "full_path": "3.18:libcrypto3:3.1.1-r1" + } + ] + ] + }, + "alpine://3.18:libssl3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r3]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libssl3:3.1.1-r1", + "full_path": "3.18:libssl3:3.1.1-r1" + } + ] + ] + } + }, + "issue_id": "XRAY-526273", + "references": [ + "http://www.openwall.com/lists/oss-security/2023/07/19/4", + "http://www.openwall.com/lists/oss-security/2023/07/19/5", + "http://www.openwall.com/lists/oss-security/2023/07/19/6", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23", + "https://www.openssl.org/news/secadv/20230719.txt" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-2975" + } + ], + "summary": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", + "severity": "Unknown", + "components": { + "alpine://3.18:libcrypto3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r2]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libcrypto3:3.1.1-r1", + "full_path": "3.18:libcrypto3:3.1.1-r1" + } + ] + ] + }, + "alpine://3.18:libssl3:3.1.1-r1": { + "fixed_versions": [ + "[3.1.1-r2]" + ], + "impact_paths": [ + [ + { + "component_id": "docker://alpine:latest" + }, + { + "component_id": "generic://sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c/sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar", + "full_path": "sha256__78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c.tar" + }, + { + "component_id": "alpine://3.18:libssl3:3.1.1-r1", + "full_path": "3.18:libssl3:3.1.1-r1" + } + ] + ] + } + }, + "issue_id": "XRAY-523321", + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc", + "https://www.openssl.org/news/secadv/20230714.txt" + ] + } + ], + "component_id": "docker://alpine:latest", + "package_type": "Docker", + "status": "completed" + } +] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json new file mode 100644 index 00000000000..12a51deb52a --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json @@ -0,0 +1,9130 @@ +[ + { + "scan_id": "b89a2883-51d6-4276-6aeb-e16307acddd6", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2023-30608", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.\n", + "severity": "High", + "components": { + "pypi://sqlparse:0.4.3": { + "fixed_versions": [ + "[0.4.4]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + }, + { + "component_id": "pypi://sqlparse:0.4.3" + } + ] + ] + } + }, + "issue_id": "XRAY-515353", + "references": [ + "https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb", + "https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a", + "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2", + "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-24580", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", + "severity": "High", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-418183", + "references": [ + "http://www.openwall.com/lists/oss-security/2023/02/14/1", + "https://docs.djangoproject.com/en/4.1/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce", + "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html" + ], + "extended_information": { + "short_description": "A design problem in Django may lead to denial of service when processing multipart forms.", + "full_description": "[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development.\r\n\r\nA vulnerability has been discovered in the Multipart Request Parser in Django. By passing certain inputs (such as an excessive number of parts) to multipart forms, an attacker can trigger too many open files or memory exhaustion, which may lead to a denial-of-service attack. \r\n\r\nThe issue is only exploitable when the `MultiPartParser` class is used by the Django app/", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find a multipart form that receives files in order to trigger this issue, although this does not require intimate per-target research and can be automated.", + "is_positive": true + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "Exploitation only requires sending a large amount of files to a multipart form" + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "The impact of the vulnerability is a remote denial of service that requires no user interaction or per-target specific research" + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "The vulnerability is exploitable via remote multipart form requests that contain a maliciously excessive amount of files." + } + ], + "remediation": "##### Development mitigations\n\nUse AJAX to submit the form data asynchronously and use the FormData API to create a multipart/form-data request. This method allows to handle file uploads without using `MultiPartParser` explicitly. The FormData API also provides a convenient way to append form data to the request, including file uploads.\r\n```\r\n// HTML form\r\n\u003cform id=\"myForm\"\u003e\r\n \u003cinput type=\"text\" name=\"title\"\u003e\r\n \u003cinput type=\"file\" name=\"file\"\u003e\r\n \u003cbutton type=\"submit\"\u003eSubmit\u003c/button\u003e\r\n\u003c/form\u003e\r\n\r\n// JavaScript\r\n\u003cscript\u003e\r\n const form = document.getElementById('myForm');\r\n form.addEventListener('submit', async (event) =\u003e {\r\n event.preventDefault();\r\n\r\n const formData = new FormData(form);\r\n\r\n try {\r\n const response = await fetch('/upload/', {\r\n method: 'POST',\r\n body: formData\r\n });\r\n const result = await response.json();\r\n console.log(result);\r\n } catch (error) {\r\n console.error(error);\r\n }\r\n });\r\n\u003c/script\u003e\r\n\r\n// Django view\r\nfrom django.http import JsonResponse\r\n\r\ndef upload_view(request):\r\n if request.method == 'POST':\r\n title = request.POST.get('title')\r\n file = request.FILES.get('file')\r\n # process the title and file data\r\n return JsonResponse({'success': True})\r\n else:\r\n # return a response for other HTTP methods\r\n```" + } + }, + { + "cves": [ + { + "cve": "CVE-2023-23969", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.", + "severity": "High", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-416423", + "references": [ + "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/", + "https://docs.djangoproject.com/en/4.1/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce", + "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html" + ], + "extended_information": { + "short_description": "An inefficient regular expression in Django may allow remote attackers to cause denial of service when using the LocaleMiddleware middleware.", + "full_description": "[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development. \r\n\r\nIn Django, it is possible to localize and translate web pages via the `LocaleMiddleware` middleware. When using said middleware, the content of the `Accept-Language` header is parsed via a regex. In order to improve performance, a caching mechanism was implemented which would cache the 1000 most recent parse results of `Accept-Language` headers.\r\n\r\nIn the vulnerable versions of Django, it was discovered that while the regex used for parsing the `Accept-Language` header is not prone to ReDoS on its own (as the regex is mostly straight forward, with little to no nesting), when combined with the caching mechanism, very long input for regex, Django is prone to excessive memory usage. This excessive memory usage results in memory exhaustion which could lead to denial of service.\r\n\r\nThe vulnerability is not exploitable under Django's default configuration since -\r\n\r\n1. The `LocaleMiddleware` is not used by default\r\n\r\n2. The vulnerability is only exploitable if the Django server is deployed via an Apache HTTP Server configured with `LimitRequestFieldSize` set to 64KB. By default, Apache's request field size limit is 8KB. The vulnerability is not exploitable when deploying Django using Nginx with either Gunicorn or uWSGI in any configuration.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "The impact of the vulnerability is a remote denial of service that requires no user interaction or per-target specific research" + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "The vulnerability is exploitable via remote requests that contain a maliciously crafted `Accept-Language` header." + }, + { + "name": "The issue has an exploit published", + "description": "Test code contains a PoC for invalid `Accept-Language` header." + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is very unlikely for attackers to be able to access Django servers that are not deployed using Apache or Nginx. And when Django is deployed using Apache, it is unlikely for the request field size limit to be higher than the default amount.", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2023-31047", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", + "severity": "Critical", + "components": { + "pypi://django:4.1.4": { + "fixed_versions": [ + "[3.2.19]", + "[4.1.9]", + "[4.2.1]" + ], + "impact_paths": [ + [ + { + "component_id": "pypi://" + }, + { + "component_id": "pypi://django:4.1.4" + } + ] + ] + } + }, + "issue_id": "XRAY-519232", + "references": [ + "https://www.djangoproject.com/weblog/2023/may/03/security-releases/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/", + "https://docs.djangoproject.com/en/4.2/releases/security/", + "https://groups.google.com/forum/#!forum/django-announce" + ] + } + ], + "component_id": "root", + "package_type": "Generic", + "status": "completed" + }, + { + "scan_id": "5971d1ef-b6ba-4d7d-6ba0-65d595208ee3", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2022-21803", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.", + "severity": "High", + "components": { + "npm://nconf:0.6.9": { + "fixed_versions": [ + "[0.11.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-208869", + "references": [ + "https://github.com/indexzero/nconf/pull/397", + "https://github.com/indexzero/nconf/releases/tag/v0.11.4", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450", + "https://snyk.io/vuln/SNYK-JS-NCONF-2395478" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16776", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N", + "cvss_v3_score": "8.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "High", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92764", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16777", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92763", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://security.gentoo.org/glsa/202003-48", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-7408", + "cvss_v2_score": "4.6", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "7.8", + "cvss_v3_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as \"next: 5.7.0\" and therefore automatically installed by an \"npm upgrade -g npm\" command, and also announced in the vendor's blog without mention of pre-release status). It might allow local users to bypass intended filesystem access restrictions because ownerships of /etc and /usr directories are being changed unexpectedly, related to a \"correctMkdir\" issue.", + "severity": "High", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-73410", + "references": [ + "http://blog.npmjs.org/post/171169301000/v571", + "https://github.com/npm/npm/commit/74e149da6efe6ed89477faa81fef08eee7999ad0", + "https://github.com/npm/npm/issues/19883" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-16775", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-92765", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/", + "https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/errata/RHEA-2020:0330", + "https://access.redhat.com/errata/RHSA-2020:0573", + "https://access.redhat.com/errata/RHSA-2020:0579", + "https://access.redhat.com/errata/RHSA-2020:0597", + "https://access.redhat.com/errata/RHSA-2020:0602", + "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-15095", + "cvss_v2_score": "1.9", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "4.4", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "summary": "Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like \"\u003cprotocol\u003e://[\u003cuser\u003e[:\u003cpassword\u003e]@]\u003chostname\u003e[:\u003cport\u003e][:][/]\u003cpath\u003e\". The password value is not redacted and is printed to stdout and also to any generated log files.", + "severity": "Medium", + "components": { + "npm://npm:3.10.10": { + "fixed_versions": [ + "[6.14.6]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + } + ] + ] + } + }, + "issue_id": "XRAY-105289", + "references": [ + "https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/", + "https://security.gentoo.org/glsa/202101-07", + "https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07", + "https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "2.6", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "5.9", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "JavaScript Big Number (jsbn) index.js Multiple Functions Timing Side-channel Information Disclosure", + "severity": "Medium", + "components": { + "npm://jsbn:0.1.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://jsprim:1.4.2" + }, + { + "component_id": "npm://extsprintf:1.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://jsprim:1.4.2" + }, + { + "component_id": "npm://extsprintf:1.3.0" + }, + { + "component_id": "npm://extsprintf:1.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://sshpk:1.17.0" + }, + { + "component_id": "npm://ecc-jsbn:0.1.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://http-signature:1.1.1" + }, + { + "component_id": "npm://sshpk:1.17.0" + }, + { + "component_id": "npm://ecc-jsbn:0.1.2" + }, + { + "component_id": "npm://jsbn:0.1.1" + } + ] + ] + } + }, + "issue_id": "XRAY-228919", + "references": [ + "https://github.com/andyperlitch/jsbn/issues/43", + "https://twitter.com/SoatokDhole/status/1536765180645974016", + "https://soatok.blog/2022/06/14/when-soatok-used-bugcrowd/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-28469" + } + ], + "summary": "Regular expression denial of service", + "severity": "Medium", + "components": { + "npm://glob-parent:2.0.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://parse-glob:3.0.4" + }, + { + "component_id": "npm://glob-base:0.3.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ] + ] + }, + "npm://glob-parent:3.1.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://glob-parent:3.1.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N14", + "references": [ + "https://npmjs.com/advisories/1751", + "- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-28469)\n- [GitHub Advisory](https://github.com/advisories/GHSA-ww39-953v-wcq6)\n" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-28469", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", + "severity": "High", + "components": { + "npm://glob-parent:2.0.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://parse-glob:3.0.4" + }, + { + "component_id": "npm://glob-base:0.3.0" + }, + { + "component_id": "npm://glob-parent:2.0.0" + } + ] + ] + }, + "npm://glob-parent:3.1.0": { + "fixed_versions": [ + "[5.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://glob-parent:3.1.0" + } + ] + ] + } + }, + "issue_id": "XRAY-177872", + "references": [ + "https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9", + "https://github.com/gulpjs/glob-parent/pull/36", + "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092", + "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905", + "https://www.oracle.com/security-alerts/cpujan2022.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "0.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:N", + "cvss_v3_score": "0.0", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N" + } + ], + "summary": "Commander.js Package for Node.js index.js parse() Function Argument Parsing Arbitrary Code Execution Weakness", + "severity": "Unknown", + "components": { + "npm://commander:0.6.1": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + }, + { + "component_id": "npm://commander:0.6.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + }, + { + "component_id": "npm://mkdirp:0.3.0" + } + ] + ] + }, + "npm://commander:2.3.0": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://commander:2.3.0" + } + ] + ] + }, + "npm://commander:2.5.1": { + "fixed_versions": [ + "[3.0.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ] + ] + } + }, + "issue_id": "XRAY-199126", + "references": [ + "https://advisory.checkmarx.net/advisory/CX-2019-4298", + "https://github.com/tj/commander.js/pull/1056", + "https://github.com/tj/commander.js/commit/2544df81b478a4afe15560f27b3575aa3a1581c4" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-7610", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.", + "severity": "Critical", + "components": { + "npm://bson:1.0.9": { + "fixed_versions": [ + "[1.1.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + }, + { + "component_id": "npm://mongodb-core:2.1.20" + }, + { + "component_id": "npm://bson:1.0.9" + } + ] + ] + } + }, + "issue_id": "XRAY-95944", + "references": [ + "https://snyk.io/vuln/SNYK-JS-BSON-561052" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-2391", + "cvss_v2_score": "5.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:N", + "cvss_v3_score": "5.4", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + } + ], + "summary": "Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.", + "severity": "Medium", + "components": { + "npm://bson:1.0.9": { + "fixed_versions": [ + "[1.1.4]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + }, + { + "component_id": "npm://mongodb-core:2.1.20" + }, + { + "component_id": "npm://bson:1.0.9" + } + ] + ] + } + }, + "issue_id": "XRAY-95979", + "references": [ + "https://github.com/mongodb/js-bson/releases/tag/v1.1.4" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Mocha Package for Node.js lib/utils.js clean() Function Improper Regular Expression DoS", + "severity": "High", + "components": { + "npm://mocha:2.5.3": { + "fixed_versions": [ + "[10.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + } + ] + ] + } + }, + "issue_id": "XRAY-228815", + "references": [ + "https://github.com/mochajs/mocha/pull/4770", + "https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155", + "cvss_v3_score": "6.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "summary": "** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-428016", + "references": [ + "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", + "https://github.com/request/request/issues/3442", + "https://github.com/request/request/pull/3444" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16026", + "cvss_v2_score": "7.1", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:N/A:N", + "cvss_v3_score": "5.9", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "Request is an http client. If a request is made using ```multipart```, and the body type is a ```number```, then the specified number of non-zero memory is passed in the body. This affects Request \u003e=2.2.6 \u003c2.47.0 || \u003e2.51.0 \u003c=2.67.0.", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72544", + "references": [ + "https://github.com/request/request/issues/1904", + "https://github.com/request/request/pull/2018", + "https://nodesecurity.io/advisories/309" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N133", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N134", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-28155" + } + ], + "summary": "Server-Side Request Forgery in Request", + "severity": "Medium", + "components": { + "npm://request:2.36.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + } + ] + ] + }, + "npm://request:2.67.0": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N135", + "references": [ + "https://github.com/advisories/GHSA-p8p7-x288-28g6", + "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://github.com/advisories/GHSA-p8p7-x288-28g6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2015-8858", + "cvss_v2_score": "7.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a \"regular expression denial of service (ReDoS).\"", + "severity": "High", + "components": { + "npm://uglify-js:2.4.24": { + "fixed_versions": [ + "[2.6.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://uglify-js:2.4.24" + } + ] + ] + } + }, + "issue_id": "XRAY-72508", + "references": [ + "http://www.securityfocus.com/bid/96409", + "https://nodesecurity.io/advisories/48", + "http://www.openwall.com/lists/oss-security/2016/04/20/11" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-23358", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "7.2", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", + "severity": "High", + "components": { + "npm://underscore:1.8.3": { + "fixed_versions": [ + "[1.12.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://commander:2.5.1" + } + ] + ] + } + }, + "issue_id": "XRAY-159876", + "references": [ + "https://www.tenable.com/security/tns-2021-14", + "https://www.debian.org/security/2021/dsa-4883", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/", + "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", + "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", + "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P" + } + ], + "summary": "utile Package for Node.js lib/base64.js base64.encode() Function Buffer Allocation Handling Memory Consumption DoS", + "severity": "Medium", + "components": { + "npm://utile:0.2.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://utile:0.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://prompt:0.2.14" + }, + { + "component_id": "npm://utile:0.2.1" + } + ] + ] + }, + "npm://utile:0.3.0": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + } + ] + ] + } + }, + "issue_id": "XRAY-78627", + "references": [ + "https://hackerone.com/reports/321701", + "https://www.npmjs.com/package/utile" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-3728", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "8.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "severity": "High", + "components": { + "npm://hoek:0.9.1": { + "fixed_versions": [ + "[4.2.1]", + "[5.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://boom:0.4.2" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://sntp:0.2.4" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + }, + { + "component_id": "npm://boom:0.4.2" + }, + { + "component_id": "npm://hoek:0.9.1" + } + ] + ] + }, + "npm://hoek:2.16.3": { + "fixed_versions": [ + "[4.2.1]", + "[5.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://sntp:1.0.9" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://sntp:1.0.9" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + }, + { + "component_id": "npm://boom:2.10.1" + }, + { + "component_id": "npm://hoek:2.16.3" + } + ] + ] + } + }, + "issue_id": "XRAY-73062", + "references": [ + "http://www.securityfocus.com/bid/103108", + "https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee", + "https://nodesecurity.io/advisories/566", + "https://hackerone.com/reports/310439", + "https://snyk.io/vuln/npm:hoek:20180212", + "https://access.redhat.com/errata/RHSA-2018:1263", + "https://access.redhat.com/errata/RHSA-2018:1264" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-10540", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72610", + "references": [ + "https://nodesecurity.io/advisories/118" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-3517" + } + ], + "summary": "minimatch ReDoS vulnerability", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N91", + "references": [ + "https://github.com/advisories/GHSA-f8q6-p94x-37v3", + "- https://nvd.nist.gov/vuln/detail/CVE-2022-3517\n- https://github.com/grafana/grafana-image-renderer/issues/329\n- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6\n- https://github.com/nodejs/node/issues/42510\n- https://github.com/advisories/GHSA-f8q6-p94x-37v3" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-3517", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", + "severity": "High", + "components": { + "npm://minimatch:0.3.0": { + "fixed_versions": [ + "[3.0.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://glob:3.2.11" + }, + { + "component_id": "npm://minimatch:0.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-257996", + "references": [ + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20162", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.", + "severity": "Medium", + "components": { + "npm://ms:0.7.1": { + "fixed_versions": [ + "[2.0.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + }, + { + "component_id": "npm://ms:0.7.1" + } + ] + ] + } + }, + "issue_id": "XRAY-413139", + "references": [ + "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", + "https://github.com/vercel/ms/pull/89", + "https://github.com/vercel/ms/releases/tag/2.0.0", + "https://vuldb.com/?ctiid.217451", + "https://vuldb.com/?id.217451" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "summary": "Platform.js HTTP User-Agent Header Parsing Regular Expression Handling Remote DoS", + "severity": "Medium", + "components": { + "npm://platform:1.3.1": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://helmet-csp:1.2.2" + }, + { + "component_id": "npm://lodash.reduce:4.5.0" + } + ] + ] + } + }, + "issue_id": "XRAY-78635", + "references": [ + "https://github.com/bestiejs/platform.js", + "https://github.com/bestiejs/platform.js/issues/139" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-10064", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72519", + "references": [ + "https://nodesecurity.io/advisories/28" + ] + }, + { + "cves": [ + { + "cve": "CVE-2014-7191", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ], + "summary": "The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.", + "severity": "Medium", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73097", + "references": [ + "http://www-01.ibm.com/support/docview.wss?uid=swg21685987", + "http://www-01.ibm.com/support/docview.wss?uid=swg21687263", + "http://www-01.ibm.com/support/docview.wss?uid=swg21687928", + "https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8", + "https://github.com/visionmedia/node-querystring/issues/104", + "https://nodesecurity.io/advisories/qs_dos_memory_exhaustion", + "https://access.redhat.com/errata/RHSA-2016:1380", + "http://secunia.com/advisories/60026", + "http://secunia.com/advisories/62170", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/96729" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-1000048", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://qs:5.2.1": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://qs:5.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-94949", + "references": [ + "https://github.com/ljharb/qs/issues/200", + "https://access.redhat.com/errata/RHSA-2017:2672" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-24999", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has \"deps: qs@6.9.7\" in its release description, is not vulnerable).", + "severity": "High", + "components": { + "npm://qs:0.6.6": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://qs:5.2.1": { + "fixed_versions": [ + "[6.10.3]", + "[6.2.4]", + "[6.3.3]", + "[6.4.1]", + "[6.5.3]", + "[6.6.1]", + "[6.7.3]", + "[6.8.3]", + "[6.9.7]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://qs:5.2.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-262099", + "references": [ + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999" + ], + "extended_information": { + "short_description": "Insufficient input validation in qs leads to prototype pollution when parsing attacker-controlled query strings.", + "full_description": "[qs](https://npmjs.org/package/qs) is an npm library that provides query string parsing to objects and stringifying.\r\n\r\n[Express.js](https://www.npmjs.com/package/express) is a trending web framework for Node.js and uses `qs` as one of its dependencies.\r\n\r\nIt was discovered that the `parseObject` function in `qs` did not guard against prototype pollution when parsing query strings, by allowing the use of `__proto__` keys instead of ignoring them. Therefore, any calls with untrusted user input would cause the injection of arbitrary values into the Object prototype and could lead to denial-of-service.\r\n\r\nBy default, the `qs` library doesn't allow prototypes when parsing, so only non-default parsing configurations are affected. An example: `qs.parse(payload, { allowPrototypes: true });`\r\n\r\nThe issue also affects `Express.js` web framework, which uses the `qs` package to parse user-supplied query strings (from `HTTP GET` requests). That is due to `Express.js` parsing the queries with the `qs` `allowPrototypes=true` option enabled by default.\r\nThe vulnerable function is called when processing a request and does not have to be invoked by the developer directly.\r\n\r\nWhen treating the resulting query object that is inside `req.query` as a string or as an array, it causes Node.js to hang. An example would be code that processes a string addition: `const newVar = req.query.testString + \"0\";`\r\nAnother example would be code that searches an element in an array: `req.query.testArray.indexOf(\"123\")`\r\n\r\nThe vulnerability doesn't affect the use of `qs` with default configuration (without the enabling of `allowPrototypes`).\r\n\r\nExample malicious query string payload -\r\n```\r\na[__proto__]\u0026a[__proto__]\u0026a[length]=100000000\r\n```", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network", + "description": "`express` is a Node.js web framework and is very likely to parse user-supplied query strings." + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "Prototype pollution is well documented and the vulnerability is very trivial to exploit." + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "In `qs`, only applicable to `qs.parse` calls that have the `allowPrototypes=true` option, which is not enabled by default.\r\nIn `express`, the vulnerability is exploitable by default, but mostly for denial-of-service impact", + "is_positive": true + }, + { + "name": "The issue has a detailed technical explanation published, that can aid in exploit development", + "description": "Multiple public Proof-of-Concepts demonstrating exploitation of this issue are available, including a detailed writeup." + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n##### Development mitigations\n\nIn `qs`, don't use the `{ allowPrototypes: true}` parsing option.\r\nIn `express`, add the following line to switch from using the vulnerable `qs` to `query-string` npm library:\r\n```\r\napp.set('query parser', 'simple');\r\n```" + } + }, + { + "cves": [ + { + "cvss_v2_score": "7.1", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "mongodb Package for Node.js (node-mongodb-native) lib/operations/db_ops.js createCollection() Function Collection Name Validation Improper Exception Handling DoS", + "severity": "High", + "components": { + "npm://mongodb:2.2.36": { + "fixed_versions": [ + "[3.1.13]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mongodb:2.2.36" + } + ] + ] + } + }, + "issue_id": "XRAY-90643", + "references": [ + "https://www.npmjs.com/advisories/1203", + "https://jira.mongodb.org/browse/NODE-1839", + "https://github.com/mongodb/node-mongodb-native/commit/210c71dccd8d8fdeadd9b4d1571e5fdb93e0f02f" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-0842", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "summary": "xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.", + "severity": "Medium", + "components": { + "npm://xml2js:0.4.4": { + "fixed_versions": [ + "[0.5.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://selenium-webdriver:2.53.3" + }, + { + "component_id": "npm://xml2js:0.4.4" + } + ] + ] + } + }, + "issue_id": "XRAY-513455", + "references": [ + "https://fluidattacks.com/advisories/myers/", + "https://github.com/Leonidas-from-XIV/node-xml2js/" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-29167", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.", + "severity": "High", + "components": { + "npm://hawk:1.0.0": { + "fixed_versions": [ + "[3.1.3]", + "[4.1.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + }, + "npm://hawk:3.1.3": { + "fixed_versions": [ + "[9.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-209780", + "references": [ + "https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq", + "https://github.com/mozilla/hawk/pull/286" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-1000232", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been fixed in 2.3.0.", + "severity": "Medium", + "components": { + "npm://tough-cookie:2.2.2": { + "fixed_versions": [ + "[2.3.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tough-cookie:2.2.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-73084", + "references": [ + "https://access.redhat.com/security/cve/cve-2016-1000232", + "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae", + "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534", + "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232/", + "https://www.npmjs.com/advisories/130", + "https://access.redhat.com/errata/RHSA-2016:2101", + "https://access.redhat.com/errata/RHSA-2017:2912" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-15010", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.", + "severity": "High", + "components": { + "npm://tough-cookie:2.2.2": { + "fixed_versions": [ + "[2.3.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tough-cookie:2.2.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72482", + "references": [ + "http://www.securityfocus.com/bid/101185", + "https://github.com/salesforce/tough-cookie/issues/92", + "https://nodesecurity.io/advisories/525", + "https://snyk.io/vuln/npm:tough-cookie:20170905", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT/", + "https://access.redhat.com/errata/RHSA-2017:2912", + "https://access.redhat.com/errata/RHSA-2017:2913", + "https://access.redhat.com/errata/RHSA-2018:1263", + "https://access.redhat.com/errata/RHSA-2018:1264" + ] + }, + { + "summary": "Memory Exposure in tunnel-agent", + "severity": "Medium", + "components": { + "npm://tunnel-agent:0.4.3": { + "fixed_versions": [ + "[0.6.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://tunnel-agent:0.4.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N78", + "references": [ + "https://github.com/advisories/GHSA-xc7v-wxcw-j472", + "- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472" + ] + }, + { + "summary": "Withdrawn: ESLint dependencies are vulnerable (ReDoS and Prototype Pollution)", + "severity": "Medium", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-N39", + "references": [ + "https://github.com/advisories/GHSA-7fhm-mqm4-2wp7", + "- https://github.com/advisories/GHSA-6chw-6frg-f759\n- https://github.com/advisories/GHSA-7fhm-mqm4-2wp7" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "10.0", + "cvss_v2_vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "minimist Package for Node.js --__proto__.y=Polluted Argument Handling Prototype Pollution Remote Property Manipulation", + "severity": "Critical", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-95632", + "references": [ + "https://bdu.fstec.ru/vul/2020-01147", + "https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + "https://www.npmjs.com/advisories/1179", + "https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-44906", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Minimist \u003c=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).", + "severity": "Critical", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-200203", + "references": [ + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" + ], + "extended_information": { + "short_description": "Insufficient input validation in Minimist npm package leads to prototype pollution of constructor functions which allows remote attacker with unspecified impact.", + "full_description": "[Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.\r\n\r\n\r\nAn incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:\r\n```\r\nvar argv = parse(['--_.concat.constructor.prototype.y', '123']);\r\nt.equal((function(){}).foo, undefined);\r\nt.equal(argv.y, undefined);\r\n```\r\nIn this example, `prototype.y` is assigned with `123` which will be derived to every newly created object. \r\n\r\nThis vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must be able to control a command-line parameter that is passed to a Node.js program that uses Minimist to parse the arguments", + "is_positive": true + }, + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrated exploitation of this attack, with an unspecified impact" + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2020-7598", + "cvss_v2_score": "6.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "5.6", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "summary": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a \"constructor\" or \"__proto__\" payload.", + "severity": "Medium", + "components": { + "npm://minimist:0.0.10": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://broadway:0.3.6" + }, + { + "component_id": "npm://nconf:0.6.9" + }, + { + "component_id": "npm://async:0.2.9" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://flatiron:0.4.3" + }, + { + "component_id": "npm://optimist:0.6.0" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + }, + { + "component_id": "npm://optimist:0.6.1" + }, + { + "component_id": "npm://minimist:0.0.10" + } + ] + ] + }, + "npm://minimist:0.0.8": { + "fixed_versions": [ + "[0.2.1]", + "[1.2.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-npm-install:0.3.1" + }, + { + "component_id": "npm://npm:3.10.10" + }, + { + "component_id": "npm://mkdirp:0.5.1" + }, + { + "component_id": "npm://minimist:0.0.8" + } + ] + ] + } + }, + "issue_id": "XRAY-95385", + "references": [ + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" + ], + "extended_information": { + "short_description": "Missing sanitization in minimist can lead to prototype pollution when parsing command line arguments.", + "full_description": "Node-js based applications (command line tools) that use the [minimist]() package to parse command line arguments can be vulnerable to prototype pollution if an attacker can fully control the arguments provided to the command line tools. The security impact depends on the specific application, since this is a prototype pollution issue, and can range from no impact at all, to authentication bypass, DoS or even RCE.\r\n\r\nAs an demonstration of an application vulnerable to authentication bypass, the following application reads a configuration file and makes a decision based on it. However, it also uses `minimist` and is thus vulnerable to this vulnerability -\r\n\r\n```js\r\nconst minimist = require('minimist');\r\nconst fs = require('fs');\r\n\r\nconst argv = minimist(process.argv.slice(2));\r\n\r\nlet confdata = fs.readFileSync('conf.json');\r\nlet conf = JSON.parse(confdata);\r\n\r\nif (conf.role == 'admin') {\r\n // grant access\r\n} else {\r\n // deny access\r\n}\r\n```\r\n\r\nThis assumes the attacker is able to execute the vulnerable application and control the command line arguments (this usually would only be possible if the attacker has local privileges and shell access that will allow the execution of the application with arbitrary command line arguments). \r\n\r\nIn the example, the attacker would want to modify the value of the `role` property to `admin`, which can be achieved by executing the vulnerable application in this way -\r\n\r\n```bash\r\n./vulnerable_node_app --__proto__.role admin\r\n```\r\n\r\nThe vulnerable application is using the `role` property to decide whether to allow or deny application-specific actions. However, exploitation would require specific tailoring to the vulnerable application, as other applications might not have a similar property. The specific exploitation method would need to be researched by the attacker, which would also require the attacker having some access to the vulnerable application code).\r\n\r\nWhile an exploit was [published](https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a), it is not generic and would need to be modified to the specific application under attack. Moreover, from the attacker perspective the crux of being able to even use this exploit is being able to control the command line arguments in the first place.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is highly uncommon for applications to receive arguments directly from network input or unprivileged local users", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "Attacker vector, AV, was set to network even though this vulnerability cannot be necessarily triggered from the network, only in very specific environments that take network input and provide it as an argument to applications that use minimist", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cvss_v2_score": "9.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "unset-value Package for Node.js index.js unset() Function Prototype Pollution Arbitrary Code Execution", + "severity": "Critical", + "components": { + "npm://unset-value:1.0.0": { + "fixed_versions": [ + "[2.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://unset-value:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ] + ] + } + }, + "issue_id": "XRAY-198324", + "references": [ + "https://github.com/jonschlinkert/unset-value/issues/11", + "https://github.com/jonschlinkert/unset-value/pull/12", + "https://github.com/jonschlinkert/unset-value/commit/56fe0f2374c73f281a5b44909dcec3a4f9d6f9f4" + ], + "extended_information": { + "short_description": "Insufficient input validation in unset-value unset() leads to prototype pollution", + "full_description": "[unset-value](https://www.npmjs.com/package/unset-value) is small JavaScript utility package that provides an API to delete nested properties from an object using dot notation\n\nThe function `unset` was found to be vulnerable to prototype pollution, when accepting arbitrary properties from untrusted input\n\nExample of code vulnerable to this issue - \n```js\nconst unset = require('unset-value'); \nconst evilprop = '__proto__.toString';\nunset({}, evilprop);\n```\n\nSince this prototype pollution only allows to remove properties from the prototype (and not set them to arbitrary values), the pollution leads to denial of service only and won't lead to remote code execution in feasible scenarios.", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "Context-dependent exploitation", + "description": "An attacker must find remote input that propagates into the `unset` method (2nd arg)", + "is_positive": true + }, + { + "name": "Context-dependent impact", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\nIn this specific case, properties can only be deleted from the prototype. Therefore, the only feasible impact is a denial of service attack.", + "is_positive": true + }, + { + "name": "Has published exploit", + "description": "The package's test code contains a PoC that triggers the vulnerability " + } + ], + "remediation": "##### Development mitigation\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "summary": "Remote Memory Exposure", + "severity": "High", + "components": { + "npm://bl:1.0.3": { + "fixed_versions": [ + "[1.2.3]", + "[2.2.1]", + "[3.0.1]", + "[4.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://bl:1.0.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N17", + "references": [ + "https://npmjs.com/advisories/1555", + "- https://github.com/advisories/GHSA-pp7h-53gx-mx7r\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8244\n- https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e\n- https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190\n- https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466\n- https://hackerone.com/reports/966347" + ] + }, + { + "cves": [ + { + "cve": "CVE-2020-8244", + "cvss_v2_score": "6.4", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" + } + ], + "summary": "A buffer over-read vulnerability exists in bl \u003c4.0.3, \u003c3.0.1, \u003c2.2.1, and \u003c1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "severity": "Medium", + "components": { + "npm://bl:1.0.3": { + "fixed_versions": [ + "[1.2.3]", + "[2.2.1]", + "[3.0.1]", + "[4.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://bl:1.0.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://isstream:0.1.2" + } + ] + ] + } + }, + "issue_id": "XRAY-122434", + "references": [ + "https://hackerone.com/reports/966347", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1109", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "severity": "Medium", + "components": { + "npm://braces:1.8.5": { + "fixed_versions": [ + "[2.3.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://anymatch:1.3.2" + }, + { + "component_id": "npm://micromatch:2.3.11" + }, + { + "component_id": "npm://array-unique:0.2.1" + } + ] + ] + } + }, + "issue_id": "XRAY-160030", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1547272", + "https://snyk.io/vuln/npm:braces:20180219" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1000620" + } + ], + "summary": "Insufficient Entropy", + "severity": "High", + "components": { + "npm://cryptiles:0.2.2": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + } + ] + ] + }, + "npm://cryptiles:2.0.5": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ] + ] + } + }, + "issue_id": "XRAY-N10", + "references": [ + "https://npmjs.com/advisories/1464", + "- [GitHub PR](https://github.com/hapijs/cryptiles/issues/34)" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1000620", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.", + "severity": "Critical", + "components": { + "npm://cryptiles:0.2.2": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + }, + { + "component_id": "npm://cryptiles:0.2.2" + } + ] + ] + }, + "npm://cryptiles:2.0.5": { + "fixed_versions": [ + "[4.1.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://retire:1.1.6" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-retire:0.3.12" + }, + { + "component_id": "npm://request:2.67.0" + }, + { + "component_id": "npm://hawk:3.1.3" + }, + { + "component_id": "npm://cryptiles:2.0.5" + } + ] + ] + } + }, + "issue_id": "XRAY-84448", + "references": [ + "https://github.com/hapijs/cryptiles/issues/34" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165" + } + ], + "summary": "debug Inefficient Regular Expression Complexity vulnerability", + "severity": "Low", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + }, + "npm://debug:2.6.9": { + "fixed_versions": [ + "[3.1.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express-session:1.17.3" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express:4.18.2" + }, + { + "component_id": "npm://body-parser:1.20.1" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://body-parser:1.20.2" + }, + { + "component_id": "npm://debug:2.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N115", + "references": [ + "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", + "- https://nvd.nist.gov/vuln/detail/CVE-2017-20165\n- https://github.com/debug-js/debug/pull/504\n- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\n- https://github.com/debug-js/debug/releases/tag/3.1.0\n- https://vuldb.com/?ctiid.217665\n- https://vuldb.com/?id.217665\n- https://github.com/advisories/GHSA-9vvw-cc9w-f27h" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165" + } + ], + "summary": "debug Inefficient Regular Expression Complexity vulnerability", + "severity": "Low", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + }, + "npm://debug:2.6.9": { + "fixed_versions": [ + "[3.1.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express-session:1.17.3" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://express:4.18.2" + }, + { + "component_id": "npm://body-parser:1.20.1" + }, + { + "component_id": "npm://debug:2.6.9" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://body-parser:1.20.2" + }, + { + "component_id": "npm://debug:2.6.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N116", + "references": [ + "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", + "- https://nvd.nist.gov/vuln/detail/CVE-2017-20165\n- https://github.com/debug-js/debug/pull/504\n- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\n- https://github.com/debug-js/debug/releases/tag/3.1.0\n- https://vuldb.com/?ctiid.217665\n- https://vuldb.com/?id.217665\n- https://github.com/advisories/GHSA-9vvw-cc9w-f27h" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-41720" + } + ], + "summary": "Arbitrary code execution in lodash", + "severity": "Critical", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + }, + "npm://lodash:4.17.21": { + "fixed_versions": [ + "(,0.0.0)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-watch:1.1.0" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-watch:1.1.0" + }, + { + "component_id": "npm://gaze:1.1.3" + }, + { + "component_id": "npm://globule:1.3.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-jsbeautifier:0.2.13" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://async:2.6.4" + }, + { + "component_id": "npm://lodash:4.17.21" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N51", + "references": [ + "https://github.com/advisories/GHSA-8p5q-j9m2-g8wr", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://nvd.nist.gov/vuln/detail/CVE-2021-41720\n- https://github.com/advisories/GHSA-8p5q-j9m2-g8wr" + ] + }, + { + "summary": "Regular Expression Denial of Service", + "severity": "High", + "components": { + "npm://diff:1.4.0": { + "fixed_versions": [ + "[3.5.0,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://diff:1.4.0" + } + ] + ] + } + }, + "issue_id": "XRAY-N21", + "references": [ + "https://npmjs.com/advisories/1631", + "- [WhiteSource Advisory](https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590)\n- [Snyk Advisory](https://snyk.io/vuln/npm:diff:20180305)\n- [GitHub Advisory](https://github.com/advisories/GHSA-h6ch-v84p-w6p9)" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16115", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.", + "severity": "High", + "components": { + "npm://timespan:2.3.0": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://timespan:2.3.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73065", + "references": [ + "https://github.com/indexzero/TimeSpan.js/issues/10", + "https://nodesecurity.io/advisories/533" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "6.1", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "summary": "helmet-csp Package for Node.js lib/transform-directives-for-browser.ts transformDirectivesForBrowser() Function Default Directive Handling Content Security Policy Bypass", + "severity": "Medium", + "components": { + "npm://helmet-csp:1.2.2": { + "fixed_versions": [ + "[2.9.2]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://helmet-csp:1.2.2" + } + ] + ] + } + }, + "issue_id": "XRAY-89144", + "references": [ + "https://www.npmjs.com/advisories/1176", + "https://www.npmjs.com/package/helmet-csp", + "https://github.com/helmetjs/csp/commit/67a69baafa8198a154f0505a0cf0875f76f6186a", + "https://github.com/helmetjs/csp/blob/v2.9.2/CHANGELOG.md" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16137", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", + "severity": "Medium", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + } + }, + "issue_id": "XRAY-72687", + "references": [ + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://nodesecurity.io/advisories/534", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-20165", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.", + "severity": "High", + "components": { + "npm://debug:2.2.0": { + "fixed_versions": [ + "[2.6.9]", + "[3.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://finalhandler:0.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://helmet:2.3.0" + }, + { + "component_id": "npm://connect:3.4.1" + }, + { + "component_id": "npm://debug:2.2.0" + } + ] + ] + } + }, + "issue_id": "XRAY-413253", + "references": [ + "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685", + "https://github.com/debug-js/debug/pull/504", + "https://github.com/debug-js/debug/releases/tag/3.1.0", + "https://vuldb.com/?ctiid.217665", + "https://vuldb.com/?id.217665" + ], + "extended_information": { + "short_description": "Unbounded resource consumption in debug-js package could lead to denial of service when an attacker-controlled object is pretty-printed.", + "full_description": "[debug-js](https://npmjs.com/package/debug) is a tiny JavaScript debugging utility modeled after Node.js core's debugging technique. `debug-js` targets both Node.js and web browsers, and uses printf-style formatting.\r\n\r\nCode that uses debug-js is prone to denial of service when trying to pretty-print an attacker-controlled object, for example - `debug('Object: %o', obj);`\r\n\r\nIt was discovered that the `o` formatter, used to pretty-print an `Object` in a single line, had an unbounded memory footprint, which may lead to denial-of-service.\r\n\r\nTo pretty-print an object, the `o` formatter joins all the formatted object text to a single line and sends it to the built-in Node.js function `util.inspect()`. After that, it trims any whitespace. The issue was using an inefficient regular expression for this trimming operation.\r\n\r\nThe issue only occurs when the formatted JS object has a malicious `toStringTag`.\r\n\r\nThe issue has been resolved in versions 3.0.0 and 2.6.9, but was re-introduced by regression refactor from version 3.2.0.", + "jfrog_research_severity": "Low", + "jfrog_research_severity_reasons": [ + { + "name": "No high-impact exploit or technical writeup were published, and exploitation of the issue with high impact is either non-trivial or completely unproven", + "description": "Although Regular Expression Denial-of-Service is thoroughly researched, exploiting this particular issue is quite complex and no PoC was published.", + "is_positive": true + }, + { + "name": "The reported CVSS was either wrongly calculated, downgraded by other vendors, or does not reflect the vulnerability's impact", + "description": "The CVSS does not reflect the contextual prerequisites required to exploit the vulnerability properly.", + "is_positive": true + }, + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "To exploit this issue:\r\n1. The attacker must find a way to pass input to 'debug-js' logger.\r\n2. The log message must have a specific vulnerable formatter `%o`\r\n3. The attacker input must propagate into a JS Object that has a `toStringTag`, as normal objects with a simple key and value aren't vulnerable.", + "is_positive": true + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2020-28500", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-140562", + "references": [ + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/pull/5065", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "extended_information": { + "short_description": "ReDoS in lodash could lead to a denial of service when handling untrusted strings.", + "full_description": "JavaScript-based applications that use [lodash](https://github.com/lodash/lodash) and specifically the [_.toNumber](https://lodash.com/docs/4.17.15#toNumber), [_.trim](https://lodash.com/docs/4.17.15#trim) and [_.trimEnd](https://lodash.com/docs/4.17.15#trimEnd) functions, could be vulnerable to DoS (Denial of Service) through a faulty regular expression that introduces a ReDoS (Regular Expression DoS) vulnerability. This vulnerability is only triggered if untrusted user input flows into these vulnerable functions and the attacker can supply arbitrary long strings (over 50kB) that contain whitespaces. \r\n\r\nOn a modern Core i7-based system, calling the vulnerable functions with a 50kB string could take between 2 to 3 seconds to execute and 4.5 minutes for a longer 500kB string. The fix improved the regular expression performance so it took only a few milliseconds on the same Core i7-based system. This vulnerability is easily exploitable as all is required is to build a string that triggers it as can be seen in this PoC reproducing code - \r\n\r\n```js\r\nvar untrusted_user_input_50k = \"a\" + ' '.repeat(50000) + \"z\"; // assume this is provided over the network\r\nlo.trimEnd(untrusted_user_input_50k); // should take a few seconds to run\r\nvar untrusted_user_input_500k = \"a\" + ' '.repeat(500000) + \"z\"; // assume this is provided over the network\r\nlo.trimEnd(untrusted_user_input_500k); // should take a few minutes to run\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue has an exploit published", + "description": "Public exploit demonstrated ReDoS" + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "Exploitation depends on parsing user input by the `.toNumber`, `.trim` or `.trimEnd` `lodash` functions, and requires the input to contain whitespaces and be very long (over 50KB)", + "is_positive": true + } + ], + "remediation": "##### Deployment mitigations\n\nTrim untrusted strings based on size before providing it to the vulnerable functions by using the `substring` function to with a fixed maximum size like so - ```js untrusted_user_input.substring(0, max_string_size_less_than_50kB); ```" + } + }, + { + "cves": [ + { + "cve": "CVE-2018-3721", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + } + ], + "summary": "lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of \"Object\" via __proto__, causing the addition or modification of an existing property that will exist on all objects.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72918", + "references": [ + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", + "https://hackerone.com/reports/310443" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-1010266", + "cvss_v2_score": "4.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P", + "cvss_v3_score": "6.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-85049", + "references": [ + "https://github.com/lodash/lodash/wiki/Changelog", + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://github.com/lodash/lodash/issues/3359", + "https://snyk.io/vuln/SNYK-JS-LODASH-73639" + ] + }, + { + "cves": [ + { + "cve": "CVE-2019-10744", + "cvss_v2_score": "6.4", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:P", + "cvss_v3_score": "9.1", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "summary": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", + "severity": "Critical", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-85679", + "references": [ + "https://security.netapp.com/advisory/ntap-20191004-0005/", + "https://snyk.io/vuln/SNYK-JS-LODASH-450202", + "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://access.redhat.com/errata/RHSA-2019:3024" + ], + "extended_information": { + "short_description": "Insufficient input validation in lodash defaultsDeep() leads to prototype pollution.", + "full_description": "[lodash](https://www.npmjs.com/package/lodash) is a modern JavaScript utility library delivering modularity, performance, \u0026 extras.\r\n\r\nThe function `defaultsDeep` was found to be vulnerable to prototype pollution, when accepting arbitrary source objects from untrusted input\r\n\r\nExample of code vulnerable to this issue - \r\n```js\r\nconst lodash = require('lodash'); \r\nconst evilsrc = {constructor: {prototype: {evilkey: \"evilvalue\"}}};\r\nlodash.defaultsDeep({}, evilsrc)\r\n```", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrates exploitation of this issue" + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find remote input that propagates into the `defaultsDeep` method (2nd arg)", + "is_positive": true + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2018-16487", + "cvss_v2_score": "6.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "5.6", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "summary": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.", + "severity": "Medium", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-75300", + "references": [ + "https://security.netapp.com/advisory/ntap-20190919-0004/", + "https://hackerone.com/reports/380873" + ], + "extended_information": { + "short_description": "Insufficient input validation in the Lodash library leads to prototype pollution.", + "full_description": "The [Lodash](https://lodash.com/) library is an open-source JavaScript project that simplifies operations on string, arrays, numbers, and other objects. It is widely used in connected devices. \r\n\r\nThe `merge`, `mergeWith`, and `defaultsDeep` methods in Lodash are vulnerable to [prototype pollution](https://shieldfy.io/security-wiki/prototype-pollution/introduction-to-prototype-pollution/). Attackers can exploit this vulnerability by specifying a crafted `sources` parameter to any of these methods, which can modify the prototype properties of the `Object`, `Function`, `Array`, `String`, `Number`, and `Boolean` objects. A public [exploit](https://hackerone.com/reports/380873) exists which performs the prototype pollution with an arbitrary key and value.\r\n\r\nThe library implementation has a bug in the `safeGet()` function in the `lodash.js` module that allows for adding or modifying `prototype` properties of various objects. The official [solution](https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad) fixes the bug by explicitly forbidding the addition or modification of `prototype` properties.\r\n\r\nA related CVE (CVE-2018-3721) covers the same issue prior to Lodash version 4.17.5, but the fix for that was incomplete.", + "jfrog_research_severity": "High", + "jfrog_research_severity_reasons": [ + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "An attacker must find remote input that propagates into one of the following methods - \r\n* `merge` - 2nd argument\r\n* `mergeWith` - 2nd argument\r\n* `defaultsDeep` - 2nd argument", + "is_positive": true + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "A prototype pollution attack allows the attacker to inject new properties to all JavaScript objects (but not set existing properties).\r\nTherefore, the impact of a prototype pollution attack depends on the way the JavaScript code uses any object properties after the attack is triggered.\r\nUsually, a DoS attack is possible since invalid properties quickly lead to an exception being thrown. In more severe cases, RCE may be achievable.", + "is_positive": true + }, + { + "name": "The issue has an exploit published", + "description": "A public PoC demonstrated exploitation by injecting an attacker controlled key and value into the prototype" + } + ], + "remediation": "##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks." + } + }, + { + "cves": [ + { + "cve": "CVE-2020-8203", + "cvss_v2_score": "5.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:P", + "cvss_v3_score": "7.4", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], + "summary": "Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.", + "severity": "High", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-114089", + "references": [ + "https://security.netapp.com/advisory/ntap-20200724-0006/", + "https://github.com/lodash/lodash/issues/4874", + "https://hackerone.com/reports/712065", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html" + ], + "extended_information": { + "short_description": "Prototype pollution in lodash object merging and zipping functions leads to code injection.", + "full_description": "[lodash](https://lodash.com/) is a JavaScript library which provides utility functions for common programming tasks.\r\n\r\nJavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions `mergeWith`, `merge` and `zipObjectDeep` are vulnerable to [prototype pollution](https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c) if one or more of the objects it receives as arguments are obtained from user input. \r\nAn attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as [Object.prototype](https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes) from which all JavaScript objects inherit properties and methods. Any change on `Object.prototype` properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in [some cases](https://youtu.be/LUsiFV3dsK8?t=1152). \r\nAs an example for privilege escalation, consider a JavaScript application that has a `user` object which has a Boolean property of `user.isAdmin` which is used to decide which actions the user may take. If an attacker can modify or add the `isAdmin` property through prototype pollution, it can escalate the privileges of its own user to those of an admin. \r\nAs exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.", + "jfrog_research_severity": "Critical", + "jfrog_research_severity_reasons": [ + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "is_positive": true + }, + { + "name": "The issue can be exploited by attackers over the network" + }, + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC" + } + ], + "remediation": "##### Deployment mitigations\n\nAs general guidelines against prototype pollution, first consider not merging objects originating from user input or using a Map structure instead of an object. If merging objects is needed, look into creating objects without a prototype with `Object.create(null)` or into freezing `Object.prototype` with `Object.freeze()`. Finally, it is always best to perform input validation with a a [JSON schema validator](https://github.com/ajv-validator/ajv), which could mitigate this issue entirely in many cases." + } + }, + { + "cves": [ + { + "cve": "CVE-2021-23337", + "cvss_v2_score": "6.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P", + "cvss_v3_score": "7.2", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "severity": "High", + "components": { + "npm://lodash:2.4.2": { + "fixed_versions": [ + "[4.17.21]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://lodash:2.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-140575", + "references": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://security.netapp.com/advisory/ntap-20210312-0006/", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "extended_information": { + "short_description": "Improper sanitization in the lodash template function leads to JavaScript code injection through the options argument.", + "full_description": "JavaScript-based applications (both frontend and backend) that use the [template function](https://lodash.com/docs/4.17.15#template) -`_.template([string=''], [options={}])` from the [lodash](https://lodash.com/) utility library and provide the `options` argument (specifically the `variable` option) from untrusted user input, are vulnerable to JavaScript code injection. This issue can be easily exploited, and an exploitation example is [publicly available](https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c#diff-a561630bb56b82342bc66697aee2ad96efddcbc9d150665abd6fb7ecb7c0ab2fR22303) in the fix tests that was introduced in version 4.17.21 - \r\n```js\r\nlodash.template('', { variable: '){console.log(process.env)}; with(obj' })()\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The prerequisites for exploiting the issue are extremely unlikely", + "description": "It is highly unlikely that a JS program will accept arbitrary remote input into the template's `options` argument", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "The attacker must find remote input that propagates into the `options` argument of a `template` call", + "is_positive": true + }, + { + "name": "The issue results in a severe impact (such as remote code execution)", + "description": "Leads to remote code execution through JS code injection" + }, + { + "name": "The issue has an exploit published", + "description": "Published exploit demonstrates arbitrary JS code execution" + } + ] + } + }, + { + "cves": [ + { + "cve": "CVE-2022-33987", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "summary": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.", + "severity": "Medium", + "components": { + "npm://got:6.7.1": { + "fixed_versions": [ + "[11.8.5]", + "[12.1.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://latest-version:3.1.0" + }, + { + "component_id": "npm://package-json:4.0.1" + }, + { + "component_id": "npm://got:6.7.1" + } + ] + ] + } + }, + "issue_id": "XRAY-229041", + "references": [ + "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", + "https://github.com/sindresorhus/got/pull/2047", + "https://github.com/sindresorhus/got/releases/tag/v11.8.5" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16042", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", + "cvss_v3_score": "9.8", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "summary": "Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.", + "severity": "Critical", + "components": { + "npm://growl:1.9.2": { + "fixed_versions": [ + "[1.10.0]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-mocha-test:0.12.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://jade:0.26.3" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://mocha:2.5.3" + }, + { + "component_id": "npm://growl:1.9.2" + } + ] + ] + } + }, + "issue_id": "XRAY-72713", + "references": [ + "https://github.com/tj/node-growl/issues/60", + "https://github.com/tj/node-growl/pull/61", + "https://nodesecurity.io/advisories/146" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-33623", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.", + "severity": "High", + "components": { + "npm://trim-newlines:1.0.0": { + "fixed_versions": [ + "[3.0.1]", + "[4.0.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-concurrent:2.3.1" + }, + { + "component_id": "npm://pad-stream:1.2.0" + }, + { + "component_id": "npm://meow:3.7.0" + }, + { + "component_id": "npm://trim-newlines:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-176887", + "references": [ + "https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1", + "https://security.netapp.com/advisory/ntap-20210702-0007/", + "https://www.npmjs.com/package/trim-newlines", + "https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html" + ] + }, + { + "cves": [ + { + "cve": "CVE-2023-25345", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "summary": "Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags.", + "severity": "High", + "components": { + "npm://swig:1.4.2": { + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://swig:1.4.2" + } + ] + ] + } + }, + "issue_id": "XRAY-427909", + "references": [ + "https://github.com/node-swig/swig-templates/issues/88" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21681" + } + ], + "summary": "Inefficient Regular Expression Complexity in marked", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N57", + "references": [ + "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", + "- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "4.3", + "cvss_v2_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "5.3", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "summary": "marked Package for Node.js lib/marked.js heading Regular Expression Handling CPU Consumption DoS", + "severity": "Medium", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-84782", + "references": [ + "https://github.com/markedjs/marked/commit/09afabf69c6d0c919c03443f47bdfe476566105d", + "https://github.com/markedjs/marked/pull/1224" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21680", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-194626", + "references": [ + "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", + "https://github.com/markedjs/marked/releases/tag/v4.0.10" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21680" + } + ], + "summary": "Inefficient Regular Expression Complexity in marked", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-N58", + "references": [ + "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", + "- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-21681", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-194711", + "references": [ + "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5" + ] + }, + { + "cves": [ + { + "cvss_v2_score": "7.1", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C" + } + ], + "summary": "marked lib/marked.js inline() Function Regular Expresssion Handling DoS", + "severity": "High", + "components": { + "npm://marked:0.3.9": { + "fixed_versions": [ + "[0.3.18]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://marked:0.3.9" + } + ] + ] + } + }, + "issue_id": "XRAY-78213", + "references": [ + "https://github.com/markedjs/marked/issues/1058", + "https://github.com/markedjs/marked/files/1735164/example.txt", + "https://github.com/Feder1co5oave/marktex/commit/d30c6cef0ae7645390bccb00a01a428693073b60", + "https://github.com/markedjs/marked/pull/1083", + "https://github.com/markedjs/marked/issues/1070", + "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485", + "https://github.com/markedjs/marked/releases/tag/v0.3.17", + "https://snyk.io/vuln/npm:marked:20180225" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-23440" + } + ], + "summary": "Prototype Pollution in set-value", + "severity": "High", + "components": { + "npm://set-value:2.0.1": { + "fixed_versions": [ + "[4.0.1,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://forever:0.15.3" + }, + { + "component_id": "npm://forever-monitor:1.7.2" + }, + { + "component_id": "npm://chokidar:1.7.0" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://anymatch:2.0.0" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://union-value:1.0.1" + }, + { + "component_id": "npm://get-value:2.0.6" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://cache-base:1.0.1" + }, + { + "component_id": "npm://set-value:2.0.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://extglob:2.0.4" + }, + { + "component_id": "npm://expand-brackets:2.1.4" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://source-map-resolve:0.5.3" + }, + { + "component_id": "npm://atob:2.1.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + }, + { + "component_id": "npm://split-string:3.1.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://chokidar:2.1.8" + }, + { + "component_id": "npm://readdirp:2.2.1" + }, + { + "component_id": "npm://micromatch:3.1.10" + }, + { + "component_id": "npm://braces:2.3.2" + }, + { + "component_id": "npm://snapdragon:0.8.2" + }, + { + "component_id": "npm://base:0.11.2" + }, + { + "component_id": "npm://mixin-deep:1.3.2" + }, + { + "component_id": "npm://for-in:1.0.2" + } + ] + ] + } + }, + "issue_id": "XRAY-N36", + "references": [ + "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-23440\n- https://github.com/advisories/GHSA-4jqc-8m5r-9rpr" + ] + }, + { + "cves": [ + { + "cve": "CVE-2016-2515", + "cvss_v2_score": "7.8", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.", + "severity": "High", + "components": { + "npm://hawk:1.0.0": { + "fixed_versions": [ + "[3.1.3]", + "[4.1.1]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ] + ] + } + }, + "issue_id": "XRAY-73076", + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1309721", + "https://github.com/hueniverse/hawk/commit/0833f99ba64558525995a7e21d4093da1f3e15fa", + "https://github.com/hueniverse/hawk/issues/168", + "https://nodesecurity.io/advisories/77", + "http://www.openwall.com/lists/oss-security/2016/02/20/1", + "http://www.openwall.com/lists/oss-security/2016/02/20/2" + ] + }, + { + "cves": [ + { + "cve": "CVE-2017-16138", + "cvss_v2_score": "5.0", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cvss_v3_score": "7.5", + "cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "summary": "The mime module \u003c 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", + "severity": "High", + "components": { + "npm://mime:1.2.11": { + "fixed_versions": [ + "[1.4.1]", + "[2.0.3]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://hawk:1.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://zaproxy:0.2.0" + }, + { + "component_id": "npm://request:2.36.0" + }, + { + "component_id": "npm://form-data:0.1.4" + }, + { + "component_id": "npm://mime:1.2.11" + } + ] + ] + } + }, + "issue_id": "XRAY-72686", + "references": [ + "https://github.com/broofa/node-mime/issues/167", + "https://nodesecurity.io/advisories/535" + ] + }, + { + "cves": [ + { + "cve": "CVE-2021-3807" + } + ], + "summary": " Inefficient Regular Expression Complexity in chalk/ansi-regex", + "severity": "Medium", + "components": { + "npm://ansi-regex:3.0.1": { + "fixed_versions": [ + "[5.0.1,)" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://ansi-align:2.0.0" + }, + { + "component_id": "npm://string-width:2.1.1" + }, + { + "component_id": "npm://strip-ansi:4.0.0" + }, + { + "component_id": "npm://ansi-regex:3.0.1" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://cli-boxes:1.0.0" + }, + { + "component_id": "npm://execa:0.7.0" + }, + { + "component_id": "npm://get-stream:3.0.0" + } + ], + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-nodemon:0.4.2" + }, + { + "component_id": "npm://nodemon:1.19.4" + }, + { + "component_id": "npm://update-notifier:2.5.0" + }, + { + "component_id": "npm://boxen:1.3.0" + }, + { + "component_id": "npm://widest-line:2.0.1" + }, + { + "component_id": "npm://string-width:2.1.1" + }, + { + "component_id": "npm://strip-ansi:4.0.0" + }, + { + "component_id": "npm://ansi-regex:3.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N33", + "references": [ + "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "- https://nvd.nist.gov/vuln/detail/CVE-2021-3807\n- https://github.com/advisories/GHSA-93q8-gq69-wqmw" + ] + }, + { + "cves": [ + { + "cve": "CVE-2018-1002204", + "cvss_v2_score": "4.3", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N", + "cvss_v3_score": "5.5", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" + } + ], + "summary": "adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.", + "severity": "Medium", + "components": { + "npm://adm-zip:0.4.4": { + "fixed_versions": [ + "[0.4.11]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://selenium-webdriver:2.53.3" + }, + { + "component_id": "npm://adm-zip:0.4.4" + } + ] + ] + } + }, + "issue_id": "XRAY-73112", + "references": [ + "http://www.securityfocus.com/bid/107001", + "https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25", + "https://github.com/cthackers/adm-zip/pull/212", + "https://github.com/snyk/zip-slip-vulnerability", + "https://snyk.io/research/zip-slip-vulnerability", + "https://snyk.io/vuln/npm:adm-zip:20180415" + ] + }, + { + "summary": "Improper Privilege Management in shelljs", + "severity": "Medium", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N59", + "references": [ + "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", + "- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj" + ] + }, + { + "summary": "Improper Privilege Management in shelljs", + "severity": "Medium", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-N60", + "references": [ + "https://github.com/advisories/GHSA-64g7-mvw6-v9qj", + "- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj" + ] + }, + { + "cves": [ + { + "cve": "CVE-2022-0144", + "cvss_v2_score": "3.6", + "cvss_v2_vector": "CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:P", + "cvss_v3_score": "7.1", + "cvss_v3_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H" + } + ], + "summary": "shelljs is vulnerable to Improper Privilege Management", + "severity": "High", + "components": { + "npm://shelljs:0.3.0": { + "fixed_versions": [ + "[0.8.5]" + ], + "impact_paths": [ + [ + { + "component_id": "npm://desopmo:1.33.7" + }, + { + "component_id": "npm://grunt-contrib-jshint:1.1.0" + }, + { + "component_id": "npm://jshint:2.9.7" + }, + { + "component_id": "npm://cli:1.0.1" + } + ] + ] + } + }, + "issue_id": "XRAY-194227", + "references": [ + "https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c", + "https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c" + ], + "extended_information": { + "short_description": "Permissive file permissions in shelljs may lead to sensitive data leakage by local attackers.", + "full_description": "[ShellJS](https://www.npmjs.com/package/shelljs) is a portable (Windows/Linux/OS X) implementation of Unix shell commands on top of the Node.js API.\r\n\r\nArbitrary shell commands can be run with ShellJS's `shell.exec` API.\r\nShellJS creates temporary files for the executed command's outputs (stdout and stderr).\r\nSince the permissions for the generated stdout and stderr files is **world-readable**, local attackers may be able to read the outputs of commands run by other users, and leak sensitive data.\r\n\r\nFor example, if a user uses `shell.exec` to generate a secret key -\r\n```js\r\nvar shell = require('shelljs');\r\nvar secret = shell.exec(\"openssl rand -base64 32\").stdout;\r\n```\r\nA local attacker could read the temporary stdout file to get the user's secret key -\r\n```js\r\nwhile true; do cat /tmp/*; done\r\n```", + "jfrog_research_severity": "Medium", + "jfrog_research_severity_reasons": [ + { + "name": "The issue is trivial to exploit and does not require a published writeup or PoC", + "description": "The vulnerability simply requires attackers to read the `/tmp` directory" + }, + { + "name": "The issue can only be exploited by an attacker that can execute code on the vulnerable machine (excluding exceedingly rare circumstances)", + "description": "The attacker must be running code on the system, to read the `/tmp` directory", + "is_positive": true + }, + { + "name": "The impact of exploiting the issue depends on the context of surrounding software. A severe impact such as RCE is not guaranteed.", + "description": "The security impact of this issue depends on what kind of data gets leaked by the local attacker. In the worst case, the leaked data would allow privilege escalation or remote code execution on other machines.", + "is_positive": true + }, + { + "name": "Exploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector", + "description": "One of the system's user must run a command with a sensitive data output, for example - `var secret = shell.exec(\"openssl rand -base64 32\");`", + "is_positive": true + }, + { + "name": "The prerequisites for exploiting the issue are either extremely common or nonexistent (always exploitable)", + "description": "`shell.exec` is highly likely to be called when the `ShellJS` package is in use" + } + ] + } + } + ], + "component_id": "root", + "package_type": "Generic", + "status": "completed" + } +] diff --git a/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json new file mode 100644 index 00000000000..b99746759fd --- /dev/null +++ b/unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json @@ -0,0 +1,44 @@ +[ + { + "scan_id": "dd8f-4927-5db6-fb188ae8d984", + "vulnerabilities": [ + { + "cves": [ + { + "cve": "CVE-2014-0114", + "cvss_v2_score": "7.5", + "cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" + } + ], + "summary": "Summary test", + "severity": "High", + "components": { + "gav://test": { + "fixed_versions": [ + "[1.9.4]" + ], + "impact_paths": [ + [ + { + "component_id": "gav://co.com.test.test:core:1.0.0-test" + }, + { + "component_id": "gav://test", + "full_path": "lib/commons-beanutils-1.9.2.jar" + } + ] + ] + } + }, + "issue_id": "XRAY-55616", + "references": [ + "https://test.com.co" + ] + } + ], + "component_id": "gav://co.com.test.test:core:1.0.0-test", + "package_type": "Maven", + "status": "completed" + } + ] + diff --git a/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py new file mode 100644 index 00000000000..0fd6712f07d --- /dev/null +++ b/unittests/tools/test_jfrog_xray_on_demand_binary_scan_parser.py @@ -0,0 +1,85 @@ +from ..dojo_test_case import DojoTestCase +from dojo.models import Test, Finding +from dojo.tools.jfrog_xray_on_demand_binary_scan.parser import \ + JFrogXrayOnDemandBinaryScanParser, get_component_name_version, clean_title + + +class TestJFrogXrayOnDemandBinaryScanParser(DojoTestCase): + + def test_parse_file_with_one_vuln(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/one_vuln.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(1, len(findings)) + item: Finding = findings[0] + self.assertEqual("gav://test", item.component_name) + self.assertEqual("CVE-2014-0114", item.unsaved_vulnerability_ids[0]) + self.assertEqual("High", item.severity) + + def test_parse_file_with_many_vulns(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(3, len(findings)) + + def test_component_name_version(self): + with self.subTest(""): + self.assertEqual(("", ""), get_component_name_version("")) + with self.subTest("gav://org.yaml:snakeyaml:1.16"): + self.assertEqual(("gav://org.yaml:snakeyaml", "1.16"), get_component_name_version("gav://org.yaml:snakeyaml:1.16")) + with self.subTest("npm://desopmo:1.33.7"): + self.assertEqual(("npm://desopmo", "1.33.7"), get_component_name_version("npm://desopmo:1.33.7")) + with self.subTest("pypi://django:4.1.4"): + self.assertEqual(("pypi://django", "4.1.4"), get_component_name_version("pypi://django:4.1.4")) + with self.subTest("alpine://3.18:libcrypto3:3.1.1-r1"): + self.assertEqual(("alpine://3.18:libcrypto3", "3.1.1-r1"), get_component_name_version("alpine://3.18:libcrypto3:3.1.1-r1")) + with self.subTest("npm://desopmo"): + self.assertEqual(("npm://desopmo", ""), get_component_name_version("npm://desopmo")) + + def test_clean_title(self): + with self.subTest(""): + self.assertEqual("", clean_title("")) + with self.subTest("ABC"): + self.assertEqual("ABC", clean_title("ABC")) + with self.subTest("Garbage"): + self.assertEqual("Processing some specially crafted ASN.1 object identifiers or", clean_title("Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.")) + + def test_parse_file_with_many_vulns_docker(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_docker.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(4, len(findings)) + + def test_parse_file_with_many_vulns_pypi(self): + testfile = open("unittests/scans/jfrog_xray_on_demand_binary_scan/many_vulns_pypi.json") + parser = JFrogXrayOnDemandBinaryScanParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertEqual(99, len(findings)) + + with self.subTest(finding=0): + self.assertIn("sqlparse is a non-validating SQL parser module for Python", findings[0].title) + self.assertIsNone(findings[0].severity_justification) + self.assertEqual("High", findings[0].severity) + self.assertIn("sqlparse is a non-validating SQL parser module for Python", findings[0].description) + self.assertIn("- [0.4.4]", findings[0].mitigation) + self.assertEqual("pypi://sqlparse", findings[0].component_name) + self.assertEqual("0.4.3", findings[0].component_version) + self.assertIn("pypi://django:4.1.4", findings[0].impact) + self.assertIn("https://github.com/andialbrecht/sqlparse/commit/", findings[0].references) + self.assertTrue(findings[0].static_finding) + self.assertFalse(findings[0].dynamic_finding) + self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", findings[0].cvssv3) + self.assertEqual("XRAY-515353", findings[0].vuln_id_from_tool) + self.assertEqual(['CVE-2023-30608'], findings[0].unsaved_vulnerability_ids) + + with self.subTest(finding=1): + self.assertIn("**Short description**\nA design problem in Django may lead to denial of service when processing multipart forms.\n", findings[1].severity_justification) + self.assertIn("**Full description**\n[Django](https://www.djangoproject.com/) is a popular Python web framework that provides functions, components, and tools for fast web development.\r\n\r\nA vulnerability has been discovered in the Multipart Request Parser in Django. By passing certain inputs (such as an excessive number of parts) to multipart forms, an attacker can trigger too many open files or memory exhaustion, which may lead to a denial-of-service attack. \r\n\r\nThe issue is only exploitable when the `MultiPartParser` class is used by the Django app/\n", findings[1].severity_justification) + self.assertIn("**JFrog research severity**\nHigh\n", findings[1].severity_justification) + self.assertIn("**JFrog research severity reasons**\nExploitation of the issue is only possible when the vulnerable component is used in a specific manner. The attacker has to perform per-target research to determine the vulnerable attack vector\n", findings[1].severity_justification) + self.assertIn("An attacker must find a multipart form that receives files in order to trigger this issue, although this does not require intimate per-target research and can be automated.\n", findings[1].severity_justification) + self.assertIn("_Is positive:_ true\n", findings[1].severity_justification) From 1f36b423e1f27138f0e0a602d944a2fea079ab5e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 1 Dec 2023 21:31:39 -0600 Subject: [PATCH 18/33] Update postgres:16.1-alpine Docker digest from 16.1 to 16.1-alpine (docker-compose.yml) (#9089) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index d083704af3a..799805b83d3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -138,7 +138,7 @@ services: volumes: - defectdojo_data:/var/lib/mysql postgres: - image: postgres:16.1-alpine@sha256:b5b982f51f46f10cfc81bbd9f922692a9b1b6aac3955d7dda2c7733f8ca5bf09 + image: postgres:16.1-alpine@sha256:b218fa67aa721648d3da64351bc9c779074cc17d4e3105dd3acb476627cb3746 profiles: - postgres-rabbitmq - postgres-redis From 526319fac9ab88012b7bbc0581c53667445f2dd8 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Mon, 4 Dec 2023 00:07:58 -0500 Subject: [PATCH 19/33] Nosey Parker Test Cases --- .../scans/noseyparker/empty_with_error.json | 5 ++ .../noseyparker/noseyparker_many_vul.jsonl | 4 ++ .../noseyparker/noseyparker_one_vul.jsonl | 1 + .../noseyparker/noseyparker_zero_vul.jsonl | 1 + unittests/tools/test_noseyparker_parser.py | 46 +++++++++++++++++++ 5 files changed, 57 insertions(+) create mode 100644 unittests/scans/noseyparker/empty_with_error.json create mode 100644 unittests/scans/noseyparker/noseyparker_many_vul.jsonl create mode 100644 unittests/scans/noseyparker/noseyparker_one_vul.jsonl create mode 100644 unittests/scans/noseyparker/noseyparker_zero_vul.jsonl create mode 100644 unittests/tools/test_noseyparker_parser.py diff --git a/unittests/scans/noseyparker/empty_with_error.json b/unittests/scans/noseyparker/empty_with_error.json new file mode 100644 index 00000000000..6617e9b45ea --- /dev/null +++ b/unittests/scans/noseyparker/empty_with_error.json @@ -0,0 +1,5 @@ +{"type":"warning","data":"package.json: No license field"} +{"type":"warning","data":"No license field"} +{"type":"error","data":"An unexpected error occurred: \"https://registry.yarnpkg.com/-/npm/v1/security/audits: tunneling socket could not be established, cause=connect ECONNREFUSED 127.0.0.1:80\"."} +{"type":"info","data":"If you think this is a bug, please open a bug report with the information provided in \"/yarn-error.log\"."} +{"type":"info","data":"Visit https://yarnpkg.com/en/docs/cli/audit for documentation about this command."} diff --git a/unittests/scans/noseyparker/noseyparker_many_vul.jsonl b/unittests/scans/noseyparker/noseyparker_many_vul.jsonl new file mode 100644 index 00000000000..8c27e92ef93 --- /dev/null +++ b/unittests/scans/noseyparker/noseyparker_many_vul.jsonl @@ -0,0 +1,4 @@ +{"type":"finding","rule_name":"Generic API Key","match_content":"32ui1ffdasfhu239b4df2ac6609a9919","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"32ui1ffdasfhu239b4df2ac6609a9919","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919","after":"\"\n\n\n"},"rule_name":"Generic API Key"}]} +{"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} +{"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} +{"type":"finding","rule_name":"Generic Password (double quoted)","match_content":"Password","num_matches":12,"status":null,"comment":null,"matches":[{"provenance":[{"kind":"file","path":"./references/Microsoft.json"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"776f9a49398cb90f9a95f4f321bcc2009d84","committer_name":"Yoda","committer_email":"yoda@test.com","committer_timestamp":"1748581495 +0000","author_name":"Yoda","author_email":"yoda@test.com","author_timestamp":"1748581495 +0000","message":"testing\n"},"blob_path":"./references/Microsoft.json"}}],"blob_metadata":{"id":"7769b26e8694073f3270674bb2dedda8309749e4","num_bytes":14909,"mime_essence":"application/json","charset":null},"blob_id":"7769b26e8694073f3270674bb2dedda8309749e4","location":{"offset_span":{"start":7896,"end":7917},"source_span":{"start":{"line":161,"column":30},"end":{"line":161,"column":50}}},"capture_group_index":1,"match_content":"Password","snippet":{"before":" \"name\": \"vmCredentials\",\n \"type\": \"Compute.CredentialsCombocrosoft\",\n \"label\": {\n \"authenticationType\": \"Authentication type\",\n \"","matching":"password\": \"Password\"","after":",\n \"confirmPassword\": \"Confirm password\",\n \"sshPublicKey\": \"SSH public key\"\n },\n \"toolTip\": {\n \"authenticationType\": \"\",\n "}}, {"provenance":[{"kind":"file","path":"./references/Microsoft.json"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"776f9a49398cb90f9a95f4f321bcc2009d84","committer_name":"Yoda","committer_email":"yoda@test.com","committer_timestamp":"1748581495 +0000","author_name":"Yoda","author_email":"yoda@test.com","author_timestamp":"1748581495 +0000","message":"testing\n"},"blob_path":"./references/Microsoft.json"}}],"blob_metadata":{"id":"7769b26e8694073f3270674bb2dedda8309749e4","num_bytes":14909,"mime_essence":"application/json","charset":null},"blob_id":"7769b26e8694073f3270674bb2dedda8309749e4","location":{"offset_span":{"start":7896,"end":7917},"source_span":{"start":{"line":161,"column":30},"end":{"line":161,"column":50}}},"capture_group_index":1,"match_content":"Password","snippet":{"before":" \"name\": \"vmCredentials\",\n \"type\": \"Compute.CredentialsCombocrosoft\",\n \"label\": {\n \"authenticationType\": \"Authentication type\",\n \"","matching":"password\": \"Password\"","after":",\n \"confirmPassword\": \"Confirm password\",\n \"sshPublicKey\": \"SSH public key\"\n },\n \"toolTip\": {\n \"authenticationType\": \"\",\n "}}]} diff --git a/unittests/scans/noseyparker/noseyparker_one_vul.jsonl b/unittests/scans/noseyparker/noseyparker_one_vul.jsonl new file mode 100644 index 00000000000..4c514e0f22b --- /dev/null +++ b/unittests/scans/noseyparker/noseyparker_one_vul.jsonl @@ -0,0 +1 @@ +{"type":"finding","rule_name":"Generic API Key","match_content":"32ui1ffdasfhu239b4df2ac6609a9919","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"32ui1ffdasfhu239b4df2ac6609a9919","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919","after":"\"\n\n\n"},"rule_name":"Generic API Key"}]} \ No newline at end of file diff --git a/unittests/scans/noseyparker/noseyparker_zero_vul.jsonl b/unittests/scans/noseyparker/noseyparker_zero_vul.jsonl new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/unittests/scans/noseyparker/noseyparker_zero_vul.jsonl @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/unittests/tools/test_noseyparker_parser.py b/unittests/tools/test_noseyparker_parser.py new file mode 100644 index 00000000000..513b508b41f --- /dev/null +++ b/unittests/tools/test_noseyparker_parser.py @@ -0,0 +1,46 @@ +from django.test import TestCase +from dojo.tools.noseyparker.parser import NoseyParkerParser +from dojo.models import Test + + +class TestNoseyParkerParser(TestCase): + + def test_noseyparker_parser__no_vulns(self): + testfile = open("unittests/scans/noseyparker/noseyparker_zero_vul.jsonl") + parser = NoseyParkerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) + testfile.close() + + def test_noseyparker_parser_one_vuln(self): + testfile = open("unittests/scans/noseyparker/noseyparker_one_vul.jsonl") + parser = NoseyParkerParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + finding = findings[0] + self.assertEqual("./app/schema/config.py", findings[0].file_path) + self.assertEqual("High", finding.severity) + self.assertEqual(798, finding.cwe) + self.assertEqual(1, len(findings)) + + def test_noseyparker_parser_many_vulns(self): + # Testfile contains 4 lines (Middle 2 are duplicates and last line has 2 of the same exact matches) + testfile = open("unittests/scans/noseyparker/noseyparker_many_vul.jsonl") + parser = NoseyParkerParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + for finding in findings: + self.assertEqual("High", finding.severity) + self.assertEqual(798, finding.cwe) + self.assertEqual(3, len(findings)) + + def test_noseyparker_parser_error(self): + with self.assertRaises(ValueError) as context: + testfile = open("unittests/scans/noseyparker/empty_with_error.json") + parser = NoseyParkerParser() + findings = parser.get_findings(testfile, Test()) + testfile.close() + self.assertTrue( + "Invalid Nosey Parker data, make sure to use Nosey Parker v0.15.0" in str(context.exception) + ) + self.assertTrue("ECONNREFUSED" in str(context.exception)) From 0ba7a9d9c75f5acb660d1c5eb92da99443e1e79f Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Mon, 4 Dec 2023 00:09:02 -0500 Subject: [PATCH 20/33] Updated Parser --- .../integrations/parsers/file/noseyparker.md | 90 ++++++- dojo/tools/noseyparker/parser.py | 225 +++++------------- 2 files changed, 154 insertions(+), 161 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index 0fde44bebae..a8abb719348 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -2,4 +2,92 @@ title: "Nosey Parker" toc_hide: true --- -JSONLines Output of Nosey Parker. Supports version 0.15.0 of https://github.com/praetorian-inc/noseyparker +Input Type: +- +This parser takes JSON Lines Output from Nosey Parker. Supports version 0.15.0 of https://github.com/praetorian-inc/noseyparker + +Things to note about the Nosey Parker Parser: +- +- All findings are marked with a severity of 'High' +- The deduplication algorithm marks a unique finding by the secret, filepath, and line number all together + +Acceptable JSON Lines file: +- +Each line of the JSON Lines file from NoseyParker is one secret, but it can have multiple matches within the repository. All properties are required by the parser. + +The following is an example of an acceptable JSON lines file: +~~~ +{"type":"finding","rule_name":"Generic API Key","match_content":"32ui1ffdasfhu239b4df2ac6609a9919","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"32ui1ffdasfhu239b4df2ac6609a9919","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919","after":"\"\n\n\n"},"rule_name":"Generic API Key"}]} +{"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} + +~~~ + +If the first line is expanded, it looks like this: + +~~~ +{ + "type": "finding", + "rule_name": "Generic API Key", + "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", + "num_matches": 1, + "matches": [ + { + "provenance": [ + { + "kind": "file", + "path": "./app/schema/config.py" + }, + { + "kind": "git_repo", + "repo_path": "./.git", + "commit_provenance": { + "commit_kind": "first_seen", + "commit_metadata": { + "commit_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", + "committer_name": "Princess Leia", + "committer_email": "leia@test.com", + "committer_timestamp": "1685495256 +0000", + "author_name": "Princess Leia", + "author_email": "leia@test.com", + "author_timestamp": "1685495256 +0000", + "message": "framework\n" + }, + "blob_path": "app/schema/config.py" + } + } + ], + "blob_metadata": { + "id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", + "num_bytes": 664, + "mime_essence": "text/plain", + "charset": null + }, + "blob_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", + "location": { + "offset_span": { + "start": 617, + "end": 660 + }, + "source_span": { + "start": { + "line": 16, + "column": 17 + }, + "end": { + "line": 16, + "column": 59 + } + } + }, + "capture_group_index": 1, + "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", + "snippet": { + "before": "E = \"https://testwebsite.com\"\n ", + "matching": "API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919", + "after": "\"\n\n\n" + }, + "rule_name": "Generic API Key" + } + ] +} +~~~ \ No newline at end of file diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index 626f0863617..5ed1fa3c8d6 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -1,7 +1,6 @@ import hashlib import json - from datetime import datetime from dojo.models import Finding @@ -18,180 +17,86 @@ def get_label_for_scan_types(self, scan_type): return "Nosey Parker Scan" def get_description_for_scan_types(self, scan_type): - return "Nosey Parker report file can be imported in JSON Lines format (option --jsonl)." + return f"Nosey Parker report file can be imported in JSON Lines format (option --jsonl). " \ + f"Supports v0.15.0 of https://github.com/praetorian-inc/noseyparker" - def get_findings(self, file, test, reporter): - """ - Returns findings from jsonlines file - """ - dupes = {} - # Turn JSONL file into DataFrame - if file.name.lower().endswith(".jsonl") or file.name.lower().endswith(".json"): - # Process jsonlines into Dict - data = [json.loads(line) for line in file] - - # Check for empty file - if len(len(data)) == 0: - return [] - - # Parse through each secret of each Json line - for item in data: - # Set rule to the current secret type (e.g AWS S3 Bucket) - key = item['rule_name'] - # Number of identical secret matches - num_matches = item['num_matches'] - severity = "High" - - # First finding in json list - first_finding = item['matches'][0] - - # Set Finding details - title = f"Secret(s) Found in Repository with Commit ID {first_finding['blob_id']}" - description = f"Secret found of type: {key} \n" \ - f"SECRET starts with: {secret[:3]} on line number {line_num} \n" \ - f"This secret was found {num_matches} time(s) \n" \ - f"**Committer Name: ** {first_finding['provenance']['commit_provenance']['committer_name']} \n" \ - f"**Committer Email: ** {first_finding['provenance']['commit_provenance']['committer_email']} \n" - - line_num = first_finding['location']['source_span']['start']['line'] - secret = item['match_content'] - filepath = first_finding['provenance.path'] - reproduce = f"**First Occurrence of secret: ** \n" \ - f"Snippet: {first_finding['snippet']['before']}***SECRET***{first_finding['snippet']['after']} \n" \ - f"Location: {filepath} line #{line_num}" - description += reproduce - - # Internal de-duplication - dupe_key = hashlib.sha256(str(filepath + secret).encode('utf-8')).hexdigest() - if dupe_key in dupes: - find = dupes[dupe_key] - if finding.description: - find.description += "\n" + finding.description - finding.nb_occurences += 1 - dupes[dupe_key] = find - else: - dupes[dupe_key] = True - # Create Finding object - finding = Finding( - test=test, - cwe=798, - title=title, - description=description, - steps_to_reproduce=reproduce, - severity=severity, - mitigation="Please reset the account/token and remove ALL occurences of this secret from source code. " - "Store secrets/tokens/passwords in secret managers or secure vaults.", - reporter=reporter, - date=datetime.today().strftime("%Y-%m-%d"), - verified='false', - active='true', - is_mitigated='false', - file_path=filepath, - line=line_num, - static_finding=True, - dynamic_finding=False - - ) - dupes[dupe_key] = finding - else: - raise ValueError("Format is not recognized for NoseyParker") - - - - def get_findings(self, file, test, filter, reporter): + def get_findings(self, file, test): """ Returns findings from jsonlines file and uses filter to skip findings and determine severity """ dupes = {} - # Filter - filter_dict = self.parse_filter(filter) - # Turn JSONL file into DataFrame - if file.name.lower().endswith(".jsonl") or file.name.lower().endswith(".json"): - # Process jsonlines into Dict + if file is None: + return + elif file.name.lower().endswith(".jsonl"): + # Process JSON lines into Dict data = [json.loads(line) for line in file] # Check for empty file - if len(len(data)) == 0: + if len(data[0]) == 0: return [] - - # Parse through each secret of each Json line - for item in data: - # Set rule to the current secret type (e.g AWS S3 Bucket) - key = item['rule_name'] - # Number of identical secret matches - num_matches = item['num_matches'] - severity = "High" - - # Check if Filter dictionary indicates to Skip finding - if key in filter_dict: - if filter_dict[key]['Skip'] == "True": - return [] - else: - # Get severity from filter json - severity = filter_dict[key]['Priority'] - - # First finding in json list - first_finding = item['matches'][0] + # Parse through each secret in each JSON line + for line in data: + # Set rule to the current secret type (e.g. AWS S3 Bucket) + try: + rule_name = line['rule_name'] + secret = line['match_content'] + except Exception: + raise ValueError("Invalid Nosey Parker data, make sure to use Nosey Parker v0.15.0") # Set Finding details - title = f"Secret(s) Found in Repository with Commit ID {first_finding['blob_id']}" - description = f"Secret found of type: {key} \n" \ - f"SECRET starts with: {secret[:3]} on line number {line_num} \n" \ - f"This secret was found {num_matches} time(s) \n" \ - f"**Committer Name: ** {first_finding['provenance']['commit_provenance']['committer_name']} \n" \ - f"**Committer Email: ** {first_finding['provenance']['commit_provenance']['committer_email']} \n" - - line_num = first_finding['location']['source_span']['start']['line'] - secret = item['match_content'] - filepath = first_finding['provenance.path'] - reproduce = f"**First Occurrence of secret: ** \n" \ - f"Snippet: {first_finding['snippet']['before']}***SECRET***{first_finding['snippet']['after']} \n" \ - f"Location: {filepath} line #{line_num}" - description += reproduce - - # Internal de-duplication - dupe_key = hashlib.sha256(str(filepath + secret).encode('utf-8')).hexdigest() - if dupe_key in dupes: - find = dupes[dupe_key] - if finding.description: - find.description += "\n" + finding.description - finding.nb_occurences += 1 - dupes[dupe_key] = find - else: - dupes[dupe_key] = True - # Create Finding object - finding = Finding( - test=test, - cwe=798, - title=title, - description=description, - steps_to_reproduce=reproduce, - severity=severity, - mitigation="Please reset the account/token and remove ALL occurences of this secret from source code. " - "Store secrets/tokens/passwords in secret managers or secure vaults.", - reporter=reporter, - date=datetime.today().strftime("%Y-%m-%d"), - verified='false', - active='true', - is_mitigated='false', - file_path=filepath, - line=line_num, - static_finding=True, - dynamic_finding=False - - ) - dupes[dupe_key] = finding + for match in line['matches']: + + title = f"Secret(s) Found in Repository with Commit ID {match['blob_id']}" + filepath = match['provenance'][0]['path'] + line_num = match['location']['source_span']['start']['line'] + description = f"Secret found of type: {rule_name} \n" \ + f"SECRET starts with: '{secret[:3]}' on line number {line_num} \n" \ + f"Committer Name: {match['provenance'][1]['commit_provenance']['commit_metadata']['committer_name']} \n" \ + f"Committer Email: {match['provenance'][1]['commit_provenance']['commit_metadata']['committer_email']} \n \n" + + reproduce = f"Location: {filepath} line #{line_num}" \ + f"Snippet: {match['snippet']['before']}***SECRET***{match['snippet']['after']} \n" \ + + description += reproduce + + # Internal de-duplication + key = hashlib.md5((filepath + "|" + secret + "|" + str(line_num)).encode("utf-8")).hexdigest() + + if key in dupes: + finding = dupes[key] + if finding.description: + finding.description += "\n" + finding.description + finding.nb_occurences += 1 + dupes[key] = finding + else: + dupes[key] = True + # Create Finding object + finding = Finding( + test=test, + cwe=798, + title=title, + description=description, + steps_to_reproduce=reproduce, + severity='High', + mitigation=f"Reset the account/token and remove occurrences of this secret from source " + f"code. Store secrets/tokens/passwords in secret managers or secure vaults.", + date=datetime.today().strftime("%Y-%m-%d"), + verified=False, + active=True, + is_mitigated=False, + file_path=filepath, + line=line_num, + static_finding=True, + nb_occurences=1, + dynamic_finding=False + + ) + dupes[key] = finding else: - raise ValueError("Format is not recognized for NoseyParker") + raise ValueError("JSON lines format not recognized. Make sure to use Nosey Parker v0.15.0") return list(dupes.values()) - - def parse_filter(self, filter_file): - # Parse Filter JSON file into Dictionary - - filter_dict = json.load(filter_file) - return filter_dict From 87635328f4ea82faf78222db5ebe70140bafd947 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 30 Nov 2023 11:23:52 -0600 Subject: [PATCH 21/33] Bump cryptography from 41.0.5 to 41.0.7 (#9065) Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.5 to 41.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/41.0.5...41.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 481c6f6fa59..dc37f387f07 100644 --- a/requirements.txt +++ b/requirements.txt @@ -38,7 +38,7 @@ openpyxl==3.1.2 xlrd==1.2.0 Pillow==10.1.0 # required by django-imagekit psycopg2-binary==2.9.9 -cryptography==41.0.6 +cryptography==41.0.7 python-dateutil==2.8.2 pytz==2023.3.post1 redis==5.0.1 From da0e834be4af799d74170323e7b6ee8d6ffc9a20 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Mon, 4 Dec 2023 01:10:11 -0500 Subject: [PATCH 22/33] NoseyParker Parser Flake8 compliance --- dojo/tools/noseyparker/parser.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index 5ed1fa3c8d6..569dffe70de 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -17,8 +17,8 @@ def get_label_for_scan_types(self, scan_type): return "Nosey Parker Scan" def get_description_for_scan_types(self, scan_type): - return f"Nosey Parker report file can be imported in JSON Lines format (option --jsonl). " \ - f"Supports v0.15.0 of https://github.com/praetorian-inc/noseyparker" + return "Nosey Parker report file can be imported in JSON Lines format (option --jsonl). " \ + "Supports v0.15.0 of https://github.com/praetorian-inc/noseyparker" def get_findings(self, file, test): """ @@ -82,8 +82,8 @@ def get_findings(self, file, test): description=description, steps_to_reproduce=reproduce, severity='High', - mitigation=f"Reset the account/token and remove occurrences of this secret from source " - f"code. Store secrets/tokens/passwords in secret managers or secure vaults.", + mitigation="Reset the account/token and remove occurrences of this secret from source " + "code. Store secrets/tokens/passwords in secret managers or secure vaults.", date=datetime.today().strftime("%Y-%m-%d"), verified=False, active=True, From c7d99c104a1277ee191405e9ffdb78b0319d89a1 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Fri, 12 Jan 2024 01:23:14 -0500 Subject: [PATCH 23/33] NoseyParker fix for 0.16 --- .../integrations/parsers/file/noseyparker.md | 14 +++++------ dojo/fixtures/test_type.json | 7 ------ dojo/settings/settings.dist.py | 3 ++- dojo/tools/noseyparker/parser.py | 24 +++++++++---------- 4 files changed, 20 insertions(+), 28 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index a8abb719348..95c93f84522 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -4,7 +4,7 @@ toc_hide: true --- Input Type: - -This parser takes JSON Lines Output from Nosey Parker. Supports version 0.15.0 of https://github.com/praetorian-inc/noseyparker +This parser takes JSON Lines Output from Nosey Parker. Supports version 0.16.0 of https://github.com/praetorian-inc/noseyparker Things to note about the Nosey Parker Parser: - @@ -27,16 +27,14 @@ If the first line is expanded, it looks like this: ~~~ { "type": "finding", - "rule_name": "Generic API Key", + "rule_name": "Generic Password (double quoted)", "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", - "num_matches": 1, + "num_matches": 2, + "status": null, + "comment": null, "matches": [ { "provenance": [ - { - "kind": "file", - "path": "./app/schema/config.py" - }, { "kind": "git_repo", "repo_path": "./.git", @@ -50,7 +48,7 @@ If the first line is expanded, it looks like this: "author_name": "Princess Leia", "author_email": "leia@test.com", "author_timestamp": "1685495256 +0000", - "message": "framework\n" + "message": "first commit\n" }, "blob_path": "app/schema/config.py" } diff --git a/dojo/fixtures/test_type.json b/dojo/fixtures/test_type.json index c9ed263452a..d1a9fa60726 100644 --- a/dojo/fixtures/test_type.json +++ b/dojo/fixtures/test_type.json @@ -47,12 +47,5 @@ }, "model": "dojo.test_type", "pk": 7 - }, - { - "fields": { - "name": "Nosey Parker" - }, - "model": "dojo.test_type", - "pk": 8 } ] \ No newline at end of file diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index ec105309fbb..4234d6ba26e 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1267,7 +1267,7 @@ def saml2_attrib_map_format(dict): 'Threagile risks report': ['title', 'cwe', "severity"], 'Trufflehog Scan': ['title', 'description', 'line'], 'Humble Json Importer': ['title'], - 'MSDefender Parser': ['title', 'description'], + 'MSDefender Parser': ['title', 'description'] } # Override the hardcoded settings here via the env var @@ -1474,6 +1474,7 @@ def saml2_attrib_map_format(dict): 'Threagile risks report': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, 'Humble Json Importer': DEDUPE_ALGO_HASH_CODE, 'MSDefender Parser': DEDUPE_ALGO_HASH_CODE, + 'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL } # Override the hardcoded settings here via the env var diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index 569dffe70de..ad285be1614 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -45,21 +45,23 @@ def get_findings(self, file, test): rule_name = line['rule_name'] secret = line['match_content'] except Exception: - raise ValueError("Invalid Nosey Parker data, make sure to use Nosey Parker v0.15.0") + raise ValueError("Invalid Nosey Parker data, make sure to use Nosey Parker v0.16.0") # Set Finding details for match in line['matches']: - title = f"Secret(s) Found in Repository with Commit ID {match['blob_id']}" - filepath = match['provenance'][0]['path'] + title = f"Secret(s) Found in Repository with Commit ID {match['provenance'][0]['commit_provenance']['commit_metadata']['commit_id']}" + filepath = match['provenance'][0]['commit_provenance']['blob_path'] line_num = match['location']['source_span']['start']['line'] description = f"Secret found of type: {rule_name} \n" \ - f"SECRET starts with: '{secret[:3]}' on line number {line_num} \n" \ - f"Committer Name: {match['provenance'][1]['commit_provenance']['commit_metadata']['committer_name']} \n" \ - f"Committer Email: {match['provenance'][1]['commit_provenance']['commit_metadata']['committer_email']} \n \n" + f"SECRET starts with: '{secret[:3]}' \n" \ + f"Committer Name: {match['provenance'][0]['commit_provenance']['commit_metadata']['committer_name']} \n" \ + f"Committer Email: {match['provenance'][0]['commit_provenance']['commit_metadata']['committer_email']} \n" \ + f"Commit ID: {match['provenance'][0]['commit_provenance']['commit_metadata']['commit_id']} \n" - reproduce = f"Location: {filepath} line #{line_num}" \ - f"Snippet: {match['snippet']['before']}***SECRET***{match['snippet']['after']} \n" \ + reproduce = f"Location: {filepath} \n " \ + f"Line #{line_num} \n " \ + f"Code Snippet Containing Secret: {match['snippet']['before']}***SECRET***{match['snippet']['after']} \n" \ description += reproduce @@ -69,7 +71,7 @@ def get_findings(self, file, test): if key in dupes: finding = dupes[key] if finding.description: - finding.description += "\n" + finding.description + finding.description += "\n \n" + description finding.nb_occurences += 1 dupes[key] = finding else: @@ -80,10 +82,8 @@ def get_findings(self, file, test): cwe=798, title=title, description=description, - steps_to_reproduce=reproduce, severity='High', - mitigation="Reset the account/token and remove occurrences of this secret from source " - "code. Store secrets/tokens/passwords in secret managers or secure vaults.", + mitigation="Reset the account/token. Store secrets/tokens/passwords in secret managers or secure vaults.", date=datetime.today().strftime("%Y-%m-%d"), verified=False, active=True, From 7160ae3904b5e3a7600e58151cb99029c183ddde Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Wed, 31 Jan 2024 09:57:45 -0500 Subject: [PATCH 24/33] JSON lines fix --- dojo/tools/noseyparker/parser.py | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index ad285be1614..559fef6b4f7 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -49,21 +49,22 @@ def get_findings(self, file, test): # Set Finding details for match in line['matches']: - - title = f"Secret(s) Found in Repository with Commit ID {match['provenance'][0]['commit_provenance']['commit_metadata']['commit_id']}" - filepath = match['provenance'][0]['commit_provenance']['blob_path'] + json_path = None + if (len(match['provenance']) == 1): + json_path = match['provenance'][0] + if (len(match['provenance']) == 2): + json_path = match['provenance'][1] + title = f"Secret(s) Found in Repository with Commit ID {json_path['commit_provenance']['commit_metadata']['commit_id']}" + filepath = json_path['commit_provenance']['blob_path'] line_num = match['location']['source_span']['start']['line'] description = f"Secret found of type: {rule_name} \n" \ f"SECRET starts with: '{secret[:3]}' \n" \ - f"Committer Name: {match['provenance'][0]['commit_provenance']['commit_metadata']['committer_name']} \n" \ - f"Committer Email: {match['provenance'][0]['commit_provenance']['commit_metadata']['committer_email']} \n" \ - f"Commit ID: {match['provenance'][0]['commit_provenance']['commit_metadata']['commit_id']} \n" - - reproduce = f"Location: {filepath} \n " \ - f"Line #{line_num} \n " \ - f"Code Snippet Containing Secret: {match['snippet']['before']}***SECRET***{match['snippet']['after']} \n" \ - - description += reproduce + f"Committer Name: {json_path['commit_provenance']['commit_metadata']['committer_name']} \n" \ + f"Committer Email: {json_path['commit_provenance']['commit_metadata']['committer_email']} \n" \ + f"Commit ID: {json_path['commit_provenance']['commit_metadata']['commit_id']} \n" \ + f"Location: {filepath} line #{line_num} \n " \ + f"Line #{line_num} \n " \ + f"Code Snippet Containing Secret: {match['snippet']['before']}***SECRET***{match['snippet']['after']} \n" # Internal de-duplication key = hashlib.md5((filepath + "|" + secret + "|" + str(line_num)).encode("utf-8")).hexdigest() From 3098b376805b6222685664a3663ffec618d8892c Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Tue, 6 Feb 2024 21:54:15 -0500 Subject: [PATCH 25/33] Nosey Parker Parser: v0.16 fix --- .../integrations/parsers/file/noseyparker.md | 18 ++++++++++++++++-- dojo/settings/settings.dist.py | 1 + dojo/tools/noseyparker/parser.py | 18 ++++++++---------- .../noseyparker/noseyparker_many_vul.jsonl | 1 + unittests/tools/test_noseyparker_parser.py | 8 ++++---- 5 files changed, 30 insertions(+), 16 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index 95c93f84522..b63e84b537c 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -10,6 +10,16 @@ Things to note about the Nosey Parker Parser: - - All findings are marked with a severity of 'High' - The deduplication algorithm marks a unique finding by the secret, filepath, and line number all together +- The Nosey Parker tool allows for both full history scans of a repo and targeted branch scans + - The Parser does NOT differentiate between the 2 scan types (may be future functionality) + + - **For full history scans:** + - The scan will pick up secrets committed in the past that have since been removed + - If a secret is removed from source code, it will still show up in the next scan + - When importing findings via the Dojo API, make sure to use the parameter `do_not_reactivate` which will keep existing findings closed, without reactivating them + - + - **For targeted branch scans:** + - Keep in mind there may be active secrets that are either in the git history or not in the current branch Acceptable JSON Lines file: - @@ -17,7 +27,7 @@ Each line of the JSON Lines file from NoseyParker is one secret, but it can have The following is an example of an acceptable JSON lines file: ~~~ -{"type":"finding","rule_name":"Generic API Key","match_content":"32ui1ffdasfhu239b4df2ac6609a9919","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"32ui1ffdasfhu239b4df2ac6609a9919","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919","after":"\"\n\n\n"},"rule_name":"Generic API Key"}]} +{"type": "finding", "rule_name": "Generic Password (double quoted)", "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", "num_matches": 2, "status": null, "comment": null, "matches": [ { "provenance": [ { "kind": "file", "path": "app/schema/config.py" }, { "kind": "git_repo", "repo_path": "./.git", "commit_provenance": { "commit_kind": "first_seen", "commit_metadata": { "commit_id": "0ef84b84c29924b210e3576f69d1e8632948bedc", "committer_name": "Princess Leia", "committer_email": "leia@test.com", "committer_timestamp": "1685495256 +0000", "author_name": "Princess Leia", "author_email": "leia@test.com", "author_timestamp": "1685495256 +0000", "message": "first commit\n" }, "blob_path": "app/schema/config.py" } } ], "blob_metadata": { "id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", "num_bytes": 664, "mime_essence": "text/plain", "charset": null }, "blob_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", "location": { "offset_span": { "start": 617, "end": 660 }, "source_span": { "start": { "line": 16, "column": 17 }, "end": { "line": 16, "column": 59 } } }, "capture_group_index": 1, "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", "snippet": { "before": "E = \"https://testwebsite.com\"\n ", "matching": "API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919", "after": "\"\n\n\n" }, "rule_name": "Generic API Key" } ] }{"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} {"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} ~~~ @@ -35,13 +45,17 @@ If the first line is expanded, it looks like this: "matches": [ { "provenance": [ + { + "kind": "file", + "path": "app/schema/config.py" + }, { "kind": "git_repo", "repo_path": "./.git", "commit_provenance": { "commit_kind": "first_seen", "commit_metadata": { - "commit_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", + "commit_id": "0ef84b84c29924b210e3576f69d1e8632948bedc", "committer_name": "Princess Leia", "committer_email": "leia@test.com", "committer_timestamp": "1685495256 +0000", diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index fad2454b7ca..42f98ed0af2 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1483,6 +1483,7 @@ def saml2_attrib_map_format(dict): 'Wazuh Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'MSDefender Parser': DEDUPE_ALGO_HASH_CODE, 'HCLAppScan XML': DEDUPE_ALGO_HASH_CODE, + 'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE } # Override the hardcoded settings here via the env var diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index 559fef6b4f7..a47425d3ea3 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -18,7 +18,7 @@ def get_label_for_scan_types(self, scan_type): def get_description_for_scan_types(self, scan_type): return "Nosey Parker report file can be imported in JSON Lines format (option --jsonl). " \ - "Supports v0.15.0 of https://github.com/praetorian-inc/noseyparker" + "Supports v0.16.0 of https://github.com/praetorian-inc/noseyparker" def get_findings(self, file, test): """ @@ -49,11 +49,10 @@ def get_findings(self, file, test): # Set Finding details for match in line['matches']: - json_path = None - if (len(match['provenance']) == 1): - json_path = match['provenance'][0] - if (len(match['provenance']) == 2): - json_path = match['provenance'][1] + # The following path is to account for the variability in the JSONlines output + num_elements = len(match['provenance']) - 1 + json_path = match['provenance'][num_elements] + title = f"Secret(s) Found in Repository with Commit ID {json_path['commit_provenance']['commit_metadata']['commit_id']}" filepath = json_path['commit_provenance']['blob_path'] line_num = match['location']['source_span']['start']['line'] @@ -69,10 +68,9 @@ def get_findings(self, file, test): # Internal de-duplication key = hashlib.md5((filepath + "|" + secret + "|" + str(line_num)).encode("utf-8")).hexdigest() + # If secret already exists with the same filepath/secret/linenum if key in dupes: finding = dupes[key] - if finding.description: - finding.description += "\n \n" + description finding.nb_occurences += 1 dupes[key] = finding else: @@ -84,7 +82,7 @@ def get_findings(self, file, test): title=title, description=description, severity='High', - mitigation="Reset the account/token. Store secrets/tokens/passwords in secret managers or secure vaults.", + mitigation="Reset the account/token and remove from source code. Store secrets/tokens/passwords in secret managers or secure vaults.", date=datetime.today().strftime("%Y-%m-%d"), verified=False, active=True, @@ -98,6 +96,6 @@ def get_findings(self, file, test): ) dupes[key] = finding else: - raise ValueError("JSON lines format not recognized. Make sure to use Nosey Parker v0.15.0") + raise ValueError("JSON lines format not recognized. Make sure to use Nosey Parker v0.16.0") return list(dupes.values()) diff --git a/unittests/scans/noseyparker/noseyparker_many_vul.jsonl b/unittests/scans/noseyparker/noseyparker_many_vul.jsonl index 8c27e92ef93..44999cafb55 100644 --- a/unittests/scans/noseyparker/noseyparker_many_vul.jsonl +++ b/unittests/scans/noseyparker/noseyparker_many_vul.jsonl @@ -2,3 +2,4 @@ {"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} {"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} {"type":"finding","rule_name":"Generic Password (double quoted)","match_content":"Password","num_matches":12,"status":null,"comment":null,"matches":[{"provenance":[{"kind":"file","path":"./references/Microsoft.json"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"776f9a49398cb90f9a95f4f321bcc2009d84","committer_name":"Yoda","committer_email":"yoda@test.com","committer_timestamp":"1748581495 +0000","author_name":"Yoda","author_email":"yoda@test.com","author_timestamp":"1748581495 +0000","message":"testing\n"},"blob_path":"./references/Microsoft.json"}}],"blob_metadata":{"id":"7769b26e8694073f3270674bb2dedda8309749e4","num_bytes":14909,"mime_essence":"application/json","charset":null},"blob_id":"7769b26e8694073f3270674bb2dedda8309749e4","location":{"offset_span":{"start":7896,"end":7917},"source_span":{"start":{"line":161,"column":30},"end":{"line":161,"column":50}}},"capture_group_index":1,"match_content":"Password","snippet":{"before":" \"name\": \"vmCredentials\",\n \"type\": \"Compute.CredentialsCombocrosoft\",\n \"label\": {\n \"authenticationType\": \"Authentication type\",\n \"","matching":"password\": \"Password\"","after":",\n \"confirmPassword\": \"Confirm password\",\n \"sshPublicKey\": \"SSH public key\"\n },\n \"toolTip\": {\n \"authenticationType\": \"\",\n "}}, {"provenance":[{"kind":"file","path":"./references/Microsoft.json"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"776f9a49398cb90f9a95f4f321bcc2009d84","committer_name":"Yoda","committer_email":"yoda@test.com","committer_timestamp":"1748581495 +0000","author_name":"Yoda","author_email":"yoda@test.com","author_timestamp":"1748581495 +0000","message":"testing\n"},"blob_path":"./references/Microsoft.json"}}],"blob_metadata":{"id":"7769b26e8694073f3270674bb2dedda8309749e4","num_bytes":14909,"mime_essence":"application/json","charset":null},"blob_id":"7769b26e8694073f3270674bb2dedda8309749e4","location":{"offset_span":{"start":7896,"end":7917},"source_span":{"start":{"line":161,"column":30},"end":{"line":161,"column":50}}},"capture_group_index":1,"match_content":"Password","snippet":{"before":" \"name\": \"vmCredentials\",\n \"type\": \"Compute.CredentialsCombocrosoft\",\n \"label\": {\n \"authenticationType\": \"Authentication type\",\n \"","matching":"password\": \"Password\"","after":",\n \"confirmPassword\": \"Confirm password\",\n \"sshPublicKey\": \"SSH public key\"\n },\n \"toolTip\": {\n \"authenticationType\": \"\",\n "}}]} +{"type": "finding", "rule_name": "Generic Password (double quoted)", "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", "num_matches": 2, "status": null, "comment": null, "matches": [ { "provenance": [ { "kind": "file", "path": "app/schema/config.py" }, { "kind": "git_repo", "repo_path": "./.git", "commit_provenance": { "commit_kind": "first_seen", "commit_metadata": { "commit_id": "0ef84b84c29924b210e3576f69d1e8632948bedc", "committer_name": "Princess Leia", "committer_email": "leia@test.com", "committer_timestamp": "1685495256 +0000", "author_name": "Princess Leia", "author_email": "leia@test.com", "author_timestamp": "1685495256 +0000", "message": "first commit\n" }, "blob_path": "app/schema/config.py" } } ], "blob_metadata": { "id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", "num_bytes": 664, "mime_essence": "text/plain", "charset": null }, "blob_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", "location": { "offset_span": { "start": 617, "end": 660 }, "source_span": { "start": { "line": 16, "column": 17 }, "end": { "line": 16, "column": 59 } } }, "capture_group_index": 1, "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", "snippet": { "before": "E = \"https://testwebsite.com\"\n ", "matching": "API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919", "after": "\"\n\n\n" }, "rule_name": "Generic API Key" } ] } \ No newline at end of file diff --git a/unittests/tools/test_noseyparker_parser.py b/unittests/tools/test_noseyparker_parser.py index 513b508b41f..92d1ea89791 100644 --- a/unittests/tools/test_noseyparker_parser.py +++ b/unittests/tools/test_noseyparker_parser.py @@ -18,13 +18,13 @@ def test_noseyparker_parser_one_vuln(self): findings = parser.get_findings(testfile, Test()) testfile.close() finding = findings[0] - self.assertEqual("./app/schema/config.py", findings[0].file_path) + self.assertEqual("app/schema/config.py", finding.file_path) self.assertEqual("High", finding.severity) self.assertEqual(798, finding.cwe) self.assertEqual(1, len(findings)) def test_noseyparker_parser_many_vulns(self): - # Testfile contains 4 lines (Middle 2 are duplicates and last line has 2 of the same exact matches) + # Testfile contains 5 lines (Middle 2 are duplicates and line #4 has 2 of the same exact matches) testfile = open("unittests/scans/noseyparker/noseyparker_many_vul.jsonl") parser = NoseyParkerParser() findings = parser.get_findings(testfile, Test()) @@ -41,6 +41,6 @@ def test_noseyparker_parser_error(self): findings = parser.get_findings(testfile, Test()) testfile.close() self.assertTrue( - "Invalid Nosey Parker data, make sure to use Nosey Parker v0.15.0" in str(context.exception) + "Invalid Nosey Parker data, make sure to use Nosey Parker v0.16.0" in str(context.exception) ) - self.assertTrue("ECONNREFUSED" in str(context.exception)) + self.assertTrue("ECONNREFUSED" in str(context.exception)) \ No newline at end of file From ee697dc33a474d4635dce03f0f16dbb8a2c06504 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Tue, 6 Feb 2024 21:57:03 -0500 Subject: [PATCH 26/33] Comma for consistency --- dojo/settings/settings.dist.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 42f98ed0af2..45e1b49dd84 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1483,7 +1483,7 @@ def saml2_attrib_map_format(dict): 'Wazuh Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, 'MSDefender Parser': DEDUPE_ALGO_HASH_CODE, 'HCLAppScan XML': DEDUPE_ALGO_HASH_CODE, - 'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE + 'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, } # Override the hardcoded settings here via the env var From 51148065c53a0e9fb95cb40df88336e0bd9a485b Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Tue, 6 Feb 2024 22:11:03 -0500 Subject: [PATCH 27/33] Flake8 requirements --- dojo/tools/noseyparker/parser.py | 2 +- unittests/tools/test_noseyparker_parser.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index a47425d3ea3..99308b6328a 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -49,7 +49,7 @@ def get_findings(self, file, test): # Set Finding details for match in line['matches']: - # The following path is to account for the variability in the JSONlines output + # The following path is to account for the variability in the JSON lines output num_elements = len(match['provenance']) - 1 json_path = match['provenance'][num_elements] diff --git a/unittests/tools/test_noseyparker_parser.py b/unittests/tools/test_noseyparker_parser.py index 92d1ea89791..cb837ee23d4 100644 --- a/unittests/tools/test_noseyparker_parser.py +++ b/unittests/tools/test_noseyparker_parser.py @@ -40,7 +40,8 @@ def test_noseyparker_parser_error(self): parser = NoseyParkerParser() findings = parser.get_findings(testfile, Test()) testfile.close() + self.assertEqual(0, len(findings)) self.assertTrue( "Invalid Nosey Parker data, make sure to use Nosey Parker v0.16.0" in str(context.exception) ) - self.assertTrue("ECONNREFUSED" in str(context.exception)) \ No newline at end of file + self.assertTrue("ECONNREFUSED" in str(context.exception)) From 8d16815e2908df415612f21bfa64a0b06520bbd0 Mon Sep 17 00:00:00 2001 From: Charles Neill <1749665+cneill@users.noreply.github.com> Date: Wed, 21 Feb 2024 12:39:13 -0600 Subject: [PATCH 28/33] Update docs/content/en/integrations/parsers/file/noseyparker.md --- docs/content/en/integrations/parsers/file/noseyparker.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index b63e84b537c..ebcefd3bb36 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -17,7 +17,6 @@ Things to note about the Nosey Parker Parser: - The scan will pick up secrets committed in the past that have since been removed - If a secret is removed from source code, it will still show up in the next scan - When importing findings via the Dojo API, make sure to use the parameter `do_not_reactivate` which will keep existing findings closed, without reactivating them - - - **For targeted branch scans:** - Keep in mind there may be active secrets that are either in the git history or not in the current branch From 02f017a0bffe95c6a725824f244cb1bd1e952acd Mon Sep 17 00:00:00 2001 From: Charles Neill <1749665+cneill@users.noreply.github.com> Date: Wed, 21 Feb 2024 12:39:24 -0600 Subject: [PATCH 29/33] Update dojo/tools/noseyparker/parser.py --- dojo/tools/noseyparker/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/noseyparker/parser.py b/dojo/tools/noseyparker/parser.py index 99308b6328a..acb28056f10 100644 --- a/dojo/tools/noseyparker/parser.py +++ b/dojo/tools/noseyparker/parser.py @@ -96,6 +96,6 @@ def get_findings(self, file, test): ) dupes[key] = finding else: - raise ValueError("JSON lines format not recognized. Make sure to use Nosey Parker v0.16.0") + raise ValueError("JSON lines format not recognized (.jsonl file extension). Make sure to use Nosey Parker v0.16.0") return list(dupes.values()) From 068106afcc2a7e5d70c36250e3a90d5d860501e0 Mon Sep 17 00:00:00 2001 From: Charles Neill <1749665+cneill@users.noreply.github.com> Date: Wed, 21 Feb 2024 13:08:08 -0600 Subject: [PATCH 30/33] Update docs/content/en/integrations/parsers/file/noseyparker.md --- docs/content/en/integrations/parsers/file/noseyparker.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index ebcefd3bb36..0bdaa425fc5 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -101,4 +101,7 @@ If the first line is expanded, it looks like this: } ] } -~~~ \ No newline at end of file +~~~ + +### Sample Scan Data +Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/noseyparker). \ No newline at end of file From 8cb67957ed566375ed224bebb3588c6f9d40e17a Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:29:43 -0500 Subject: [PATCH 31/33] Removed example JSONL file --- .../integrations/parsers/file/noseyparker.md | 82 +------------------ 1 file changed, 2 insertions(+), 80 deletions(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index 0bdaa425fc5..11d013a7a19 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -20,88 +20,10 @@ Things to note about the Nosey Parker Parser: - **For targeted branch scans:** - Keep in mind there may be active secrets that are either in the git history or not in the current branch -Acceptable JSON Lines file: + JSON Lines Format: - -Each line of the JSON Lines file from NoseyParker is one secret, but it can have multiple matches within the repository. All properties are required by the parser. +The parser only accepts .jsonl reports. Each line of the JSON Lines file from NoseyParker corresponds to a unique secret found with metadata for every match. -The following is an example of an acceptable JSON lines file: -~~~ -{"type": "finding", "rule_name": "Generic Password (double quoted)", "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", "num_matches": 2, "status": null, "comment": null, "matches": [ { "provenance": [ { "kind": "file", "path": "app/schema/config.py" }, { "kind": "git_repo", "repo_path": "./.git", "commit_provenance": { "commit_kind": "first_seen", "commit_metadata": { "commit_id": "0ef84b84c29924b210e3576f69d1e8632948bedc", "committer_name": "Princess Leia", "committer_email": "leia@test.com", "committer_timestamp": "1685495256 +0000", "author_name": "Princess Leia", "author_email": "leia@test.com", "author_timestamp": "1685495256 +0000", "message": "first commit\n" }, "blob_path": "app/schema/config.py" } } ], "blob_metadata": { "id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", "num_bytes": 664, "mime_essence": "text/plain", "charset": null }, "blob_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", "location": { "offset_span": { "start": 617, "end": 660 }, "source_span": { "start": { "line": 16, "column": 17 }, "end": { "line": 16, "column": 59 } } }, "capture_group_index": 1, "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", "snippet": { "before": "E = \"https://testwebsite.com\"\n ", "matching": "API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919", "after": "\"\n\n\n" }, "rule_name": "Generic API Key" } ] }{"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} -{"type":"finding","rule_name":"Generic Username and Password (unquoted)","match_content":"secret","num_matches":1,"matches":[{"provenance":[{"kind":"file","path":"./app/schema/config.py"},{"kind":"git_repo","repo_path":"./.git","commit_provenance":{"commit_kind":"first_seen","commit_metadata":{"commit_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","committer_name":"Princess Leia","committer_email":"leia@test.com","committer_timestamp":"1685495256 +0000","author_name":"Princess Leia","author_email":"leia@test.com","author_timestamp":"1685495256 +0000","message":"framework\n"},"blob_path":"app/schema/config.py"}}],"blob_metadata":{"id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","num_bytes":664,"mime_essence":"text/plain","charset":null},"blob_id":"0ee84b84c29924b210e3576fe9d1e8632948bedc","location":{"offset_span":{"start":617,"end":660},"source_span":{"start":{"line":16,"column":17},"end":{"line":16,"column":59}}},"capture_group_index":1,"match_content":"secret","snippet":{"before":"E = \"https://testwebsite.com\"\n ","matching":"secret","after":"testing\"\n\n\n"},"rule_name":"Generic Username and Password (unquoted)"}]} - -~~~ - -If the first line is expanded, it looks like this: - -~~~ -{ - "type": "finding", - "rule_name": "Generic Password (double quoted)", - "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", - "num_matches": 2, - "status": null, - "comment": null, - "matches": [ - { - "provenance": [ - { - "kind": "file", - "path": "app/schema/config.py" - }, - { - "kind": "git_repo", - "repo_path": "./.git", - "commit_provenance": { - "commit_kind": "first_seen", - "commit_metadata": { - "commit_id": "0ef84b84c29924b210e3576f69d1e8632948bedc", - "committer_name": "Princess Leia", - "committer_email": "leia@test.com", - "committer_timestamp": "1685495256 +0000", - "author_name": "Princess Leia", - "author_email": "leia@test.com", - "author_timestamp": "1685495256 +0000", - "message": "first commit\n" - }, - "blob_path": "app/schema/config.py" - } - } - ], - "blob_metadata": { - "id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", - "num_bytes": 664, - "mime_essence": "text/plain", - "charset": null - }, - "blob_id": "0ee84b84c29924b210e3576fe9d1e8632948bedc", - "location": { - "offset_span": { - "start": 617, - "end": 660 - }, - "source_span": { - "start": { - "line": 16, - "column": 17 - }, - "end": { - "line": 16, - "column": 59 - } - } - }, - "capture_group_index": 1, - "match_content": "32ui1ffdasfhu239b4df2ac6609a9919", - "snippet": { - "before": "E = \"https://testwebsite.com\"\n ", - "matching": "API_KEY = \"32ui1ffdasfhu239b4df2ac6609a9919", - "after": "\"\n\n\n" - }, - "rule_name": "Generic API Key" - } - ] -} -~~~ ### Sample Scan Data Sample scan data for testing purposes can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/noseyparker). \ No newline at end of file From 4825a140974726b48f62c051f0e3ca5eea608170 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:42:55 -0500 Subject: [PATCH 32/33] Add link to 0.16.0 Release --- docs/content/en/integrations/parsers/file/noseyparker.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index 11d013a7a19..fc535add76f 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -4,7 +4,10 @@ toc_hide: true --- Input Type: - -This parser takes JSON Lines Output from Nosey Parker. Supports version 0.16.0 of https://github.com/praetorian-inc/noseyparker +This parser takes JSON Lines Output from Nosey Parker: https://github.com/praetorian-inc/noseyparkerSupports + +Supports version 0.16.0: +https://github.com/praetorian-inc/noseyparker/releases/tag/v0.16.0 Things to note about the Nosey Parker Parser: - From 3206c2cd2c1019d7f47754ca9aacf734dd055cf0 Mon Sep 17 00:00:00 2001 From: tpat13 <32806320+tpat13@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:45:34 -0500 Subject: [PATCH 33/33] Spacing --- docs/content/en/integrations/parsers/file/noseyparker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/integrations/parsers/file/noseyparker.md b/docs/content/en/integrations/parsers/file/noseyparker.md index fc535add76f..fc08cbf03b5 100644 --- a/docs/content/en/integrations/parsers/file/noseyparker.md +++ b/docs/content/en/integrations/parsers/file/noseyparker.md @@ -23,7 +23,7 @@ Things to note about the Nosey Parker Parser: - **For targeted branch scans:** - Keep in mind there may be active secrets that are either in the git history or not in the current branch - JSON Lines Format: +JSON Lines Format: - The parser only accepts .jsonl reports. Each line of the JSON Lines file from NoseyParker corresponds to a unique secret found with metadata for every match.