Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In dependency scan, nested dependency handlebars is vulnerable issue occurs due to lower version #10121

Closed
deepiga-obs opened this issue Apr 9, 2021 · 3 comments
Closed

In dependency scan, nested dependency handlebars is vulnerable issue occurs due to lower version #10121

deepiga-obs opened this issue Apr 9, 2021 · 3 comments
Assignees
@vkarpov15
Milestone
5.12.6

Comments

@deepiga-obs
Copy link

Do you want to request a feature or report a bug?
Report a bug

What is the current behavior?
In Azure pipelines, perform security scan is failed due to nested dependency handlebars

If the current behavior is a bug, please provide the steps to reproduce.
While doing dependency scan in deployment pipelines or run the following command in local environment
docker run --rm -e "WORKSPACE=%cd%" -v %cd%:/app shiftleft/sast-scan scan --build
the issue occurs as shown below
dep_scan

My tsconfig.json

{
  "compilerOptions": {
    "module": "commonjs",
    "declaration": true,
    "removeComments": true,
    "emitDecoratorMetadata": true,
    "experimentalDecorators": true,
    "allowSyntheticDefaultImports": true,
    "target": "es2017",
    "sourceMap": true,
    "outDir": "./dist",
    "baseUrl": "./",
    "incremental": true,
    "moduleResolution": "Node",
    "esModuleInterop": true
  }
}

What is the expected behavior?
The dependency scan should pass.

What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Nest Js: v7.6.15
Typescript: v4.2.3
Mongoose: v5.12.3

Workaround
Update the dependency Handlebars js to 4.0.14 or later
@IslandRhythms IslandRhythms added the typescript Types or Types-test related issue / Pull Request label Apr 9, 2021
@vkarpov15
Copy link
Collaborator

Mongoose doesn't have handlebars as a dependency, directly or indirectly:

$ npm list handlebars
mongoose@5.12.4 /home/val/Workspace/MongoDB/mongoose
└── (empty)

@vkarpov15 vkarpov15 added can't reproduce Mongoose devs have been unable to reproduce this issue. Close after 14 days of inactivity. and removed typescript Types or Types-test related issue / Pull Request labels Apr 16, 2021
@deepiga-obs
Copy link
Author

deepiga-obs commented Apr 16, 2021
edited

@vkarpov15 Steps to reproduce,

  1. Create a new empty node js project
  2. install mongoose package
  3. Check node_modules folder, it contains sift package. Inside the sift package we can found yarn lock file with handlebars@^4.0.1

@vkarpov15
Copy link
Collaborator

Oh ok, so this issue only happens if you use yarn. We'll reopen and see if we can repro and fix.

@vkarpov15 vkarpov15 reopened this Apr 23, 2021
@vkarpov15 vkarpov15 added this to the 5.12.6 milestone Apr 23, 2021
@vkarpov15 vkarpov15 added needs repro script Maybe a bug, but no repro script. The issue reporter should create a script that demos the issue and removed can't reproduce Mongoose devs have been unable to reproduce this issue. Close after 14 days of inactivity. needs repro script Maybe a bug, but no repro script. The issue reporter should create a script that demos the issue labels Apr 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vkarpov15 vkarpov15

Labels
None yet
Projects
None yet
Milestone
5.12.6
Development

No branches or pull requests
3 participants
@vkarpov15 @IslandRhythms @deepiga-obs