Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yarn audit analyzer #4215

Open
DRong1121 opened this issue Mar 17, 2022 · 19 comments
Open

yarn audit analyzer #4215

DRong1121 opened this issue Mar 17, 2022 · 19 comments
Assignees
@JustMehmet
Labels
bug

Comments

@DRong1121
Copy link

Describe the bug
When analyzing projects with a yarn.lock file:
"java.util.NoSuchElementException: No value present" occurs at "org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:244)"

Version of dependency-check used
The problem occurs using version 6.5.2 of the cli

Expected behavior
Finished Yarn Audit Analyzer
@DRong1121 DRong1121 added the bug label Mar 17, 2022
@mprins
Copy link
Contributor

mprins commented Mar 17, 2022

Your report is missing key information for debugging and/or analysis. Please use the issue template provided.

@MichalGorskiOnegini
Copy link

I've got exactly the same issue on the version 7.0.0...

@maciejtoporowicz
Copy link

maciejtoporowicz commented Mar 23, 2022
edited
Loading

Hi, got exactly the same issue.

Version of dependency-check used
The problem occurs when using version 7.0.0 of the maven plugin on Windows 10.

Log file

[WARNING] An unexpected error occurred during analysis of 'C:\<REDACTED>\src\main\webapp\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR] 
java.util.NoSuchElementException: No value present
    at java.util.Optional.get (Optional.java:148)
    at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson (YarnAuditAnalyzer.java:244)
    at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage (YarnAuditAnalyzer.java:284)
    at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency (YarnAuditAnalyzer.java:106)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:836)
[INFO] Finished Yarn Audit Analyzer (2 seconds)

To Reproduce
The plugin is included in the build pipeline of my maven module as following:

<build>
  <plugins>
    <plugin>
      <groupId>org.owasp</groupId>
      <artifactId>dependency-check-maven</artifactId>
      <version>7.0.0</version>
      <configuration>
        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
        <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
        <pathToYarn>C:\<REDACTED>\AppData\Roaming\npm\yarn.cmd</pathToYarn>
      </configuration>
      <executions>
        <execution>
          <goals>
            <goal>aggregate</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

This module contains the web app under src/main/webapp - package.json, yarn.lock and all the sources are there as well.

Now when I run mvn clean verify, this is the log that I get:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (3 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Jar Analyzer (1 seconds)
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[WARNING] Analyzing `C:\<REDACTED>\src\main\webapp\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check
[INFO] Finished Node.js Package Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Created CPE Index (3 seconds)
[INFO] Finished CPE Analyzer (7 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARNING] An unexpected error occurred during analysis of 'C:\<REDACTED>\src\main\webapp\yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR] 
java.util.NoSuchElementException: No value present
    at java.util.Optional.get (Optional.java:148)
    at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson (YarnAuditAnalyzer.java:244)
    at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage (YarnAuditAnalyzer.java:284)
    at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency (YarnAuditAnalyzer.java:106)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:836)
[INFO] Finished Yarn Audit Analyzer (2 seconds)
[INFO] Finished RetireJS Analyzer (3 seconds)
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Analysis Complete (22 seconds)
[INFO] Writing report to: C:\<REDACTED>\target\dependency-check-report.html

Expected behavior
No error is present, Yarn Audit Analyzer contributes to the report.

Additional context

The warning in the logs
There's this warning in the log:

[WARNING] Analyzing `C:\<REDACTED>\src\main\webapp\package.json` - however, the node_modules directory does not exist. Please run `npm install` prior to running dependency-check

If I run yarn install then the above log is gone, but the Yarn Audit Analyzer fails in the same way (No value present).

Path to yarn
This is another thing that does not work for me for some reason. I can run yarn -v in the command line from any directory and it'll print a version. To my understanding it means it's correctly found on the PATH. But the maven plugin simply says it can find path to yarn executable.

The yarn version
Globally I've got yarn 1.22.17 installed, but in the project a 'bundled' 3.1.1 version is used - this is the result of running yarn set version stable some time ago in the directory where the sources are. A .yarnrc file is sitting there in the src/main/webapp directory and it is pointing to the 3.1.1 'bundle'. So:

  • if I run yarn -v in the src/main/webapp directory, it'll show 3.1.1
  • if I run yarn -v outside of the above directory, it'll show 1.22.17

@lavor
Copy link

lavor commented Apr 24, 2022

I have the same issue with yarn 2 lockfile. Is yarn 2 (berry) already supported?

@ghost
Copy link

ghost commented May 12, 2022
edited by ghost
Loading

What I understand is, that it has nothing todo with the lockfile.

It tries to read the generated audit file from yarn and it should contain `Audit Request".

Possible issue:

  • tmp folder/file permissions
  • yarn audit output is not expected

So I run the yarn audit --offline --json --verbose > yarn_audit.json manully.

In my usecase the output was not expected.
Instead of the audit line I got:

{"type":"verbose","data":"Error: Couldn't find a package.json file in.... .cache/yarn/v6/npm-caniuse-lite-1.0.30001204-256c85709a348ec4d175e847a3b515c66e79f2aa-integrity/node_modules/caniuse-lite\""}

One dependency is invalid. (after running yarn to install dependencies, it was valid again)

So dependency check is running in offline mode and it requires that packages are downloaded already.
I would suggest, that dependency-check have to check if the audit file contains Couldn't find a package.json file and provide proper error message.

@anthony-o
Copy link

According to https://stackoverflow.com/a/63599370/535203 , one should now use yarn npm audit command but I didn't check if the output of yarn npm audit --all --environment production --recursive --json is the same as the one we obtained with yarn audit --offline --json --verbose

@ghost
Copy link

ghost commented May 20, 2022

@anthony-o did you perform yarn before audit and could you provide output of the audit command?

@paganellif
Copy link

In my GitLab pipeline I was having the same problem and solved it by setting the yarn cache path to the current directory using yarn config set cache-folder $CI_PROJECT_DIR/.yarn_cache.
I am using owasp / dependency-check: 7.1.1 as a docker image for the scan job image which downloads the cache from the previous yarn install job, for which I use as the docker image node: 16.16.0- alpine3.15 (yarn version 1.22.19).

@Purii Purii mentioned this issue Sep 30, 2022
Open
@JustMehmet
Copy link

JustMehmet commented Feb 6, 2023
edited
Loading

It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration :

dependencyCheck {
analyzers.nodeAudit.yarnEnabled = false
}

WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities.

There are some other dependency check plugins but they are not as good as this one.

@rjkf-cybermax2005
Copy link

Hello, any news regarding this issue?

@leo-paz
Copy link

leo-paz commented Aug 2, 2023
edited
Loading

@JustMehmet Any updates here?

@rjkf-cybermax2005
Copy link

Hello, are there any chances what it will be fixed in near future?

@ChrisSamo632
Copy link

With Dependency-Check Core version 8.4.0 and yarn 1.22.19, we see the following log (when outputting to a --log file):

DEBUG - Launching: [yarn, audit, --offline, --json, --verbose]

DEBUG - Process Error Out: {"type":"error","data":"Couldn't find any versions for \"@types/prop-types\" that matches \"^15.7.5\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}

Executing yarn audit --offline --json --verbose (which it appears is what the OWASP Dependency Check is doing) results in the same error. Running yarn audit --json --verbose, i.e. without the --offline flag as the error suggests, results in a successful yarn audit scan.

Our yarn.lock file has an entry for "@types/prop-types@*":, which currently resolves to @types/prop-types/-/prop-types-15.7.7.

So this appears to be a problem with yarn audit when run in --offline mode (the package reference does exist within the lock file and has been downloaded to the node_modules and yarn cache folder).

I guess either yarn audit needs fixing or dependency-check needs to use the online version (maybe an option flag for the CLI & Maven/Gradle plugins?).

@JayPe69
Copy link

JayPe69 commented Oct 20, 2023

with yarn 3

yarn npm audit --json --recursive

gives me : ......."dependencies":1523,"devDependencies":14,"optionalDependencies":0,"totalDependencies":1537}

Can we launch the audit by ourself, and then tells ODC to analyse our audit to avoid errors ?

@JayPe69
Copy link

JayPe69 commented Oct 24, 2023
edited
Loading

I've launch the following audit command on my project :

Yarn 1.22.19:

yarn audit --all --recursive --json > yarn1all.json

{
    "type": "auditAdvisory",
    "data": {
        "resolution": {
            "id": 1092971,
            "path": "cypress>@cypress/request",
            "dev": true,
            "optional": false,
            "bundled": false
        },
        "advisory": {
            "findings": [
                {
                    "version": "2.88.12",
                    "paths": [
                        "cypress>@cypress/request"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<=2.88.12",
            "module_name": "@cypress/request",
            "severity": "moderate",
            "github_advisory_id": "GHSA-p8p7-x288-28g6",
            "cves": [
                "CVE-2023-28155"
            ],
            "access": "public",
            "patched_versions": ">=3.0.0",
            "cvss": {
                "score": 6.1,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
            },
            "updated": "2023-08-14T20:53:47.000Z",
            "recommendation": "Upgrade to version 3.0.0 or later",
            "cwe": [
                "CWE-918"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1092971,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
            "created": "2023-03-16T15:30:19.000Z",
            "reported_by": null,
            "title": "Server-Side Request Forgery in Request",
            "npm_advisory_id": null,
            "overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
            "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
        }
    }
}
{
    "type": "auditAdvisory",
    "data": {
        "resolution": {
            "id": 1089270,
            "path": "cra-bundle-analyzer>webpack-bundle-analyzer>ejs",
            "dev": true,
            "optional": false,
            "bundled": false
        },
        "advisory": {
            "findings": [
                {
                    "version": "2.7.4",
                    "paths": [
                        "cra-bundle-analyzer>webpack-bundle-analyzer>ejs"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<3.1.7",
            "module_name": "ejs",
            "severity": "critical",
            "github_advisory_id": "GHSA-phwq-j96m-2c2q",
            "cves": [
                "CVE-2022-29078"
            ],
            "access": "public",
            "patched_versions": ">=3.1.7",
            "cvss": {
                "score": 9.8,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "updated": "2023-01-30T05:02:57.000Z",
            "recommendation": "Upgrade to version 3.1.7 or later",
            "cwe": [
                "CWE-74"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1089270,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q",
            "created": "2022-04-26T00:00:40.000Z",
            "reported_by": null,
            "title": "ejs template injection vulnerability",
            "npm_advisory_id": null,
            "overview": "The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).",
            "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q"
        }
    }
}
{
    "type": "auditAdvisory",
    "data": {
        "resolution": {
            "id": 1091181,
            "path": "gulp>glob-watcher>chokidar>glob-parent",
            "dev": true,
            "optional": false,
            "bundled": false
        },
        "advisory": {
            "findings": [
                {
                    "version": "3.1.0",
                    "paths": [
                        "gulp>glob-watcher>chokidar>glob-parent"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<5.1.2",
            "module_name": "glob-parent",
            "severity": "high",
            "github_advisory_id": "GHSA-ww39-953v-wcq6",
            "cves": [
                "CVE-2020-28469"
            ],
            "access": "public",
            "patched_versions": ">=5.1.2",
            "cvss": {
                "score": 7.5,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "updated": "2023-02-28T22:39:43.000Z",
            "recommendation": "Upgrade to version 5.1.2 or later",
            "cwe": [
                "CWE-400"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1091181,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6",
            "created": "2021-06-07T21:56:34.000Z",
            "reported_by": null,
            "title": "glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex",
            "npm_advisory_id": null,
            "overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.",
            "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6"
        }
    }
}
{
    "type": "auditAdvisory",
    "data": {
        "resolution": {
            "id": 1093882,
            "path": "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
            "dev": true,
            "optional": false,
            "bundled": false
        },
        "advisory": {
            "findings": [
                {
                    "version": "1.0.2",
                    "paths": [
                        "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<2.0.1",
            "module_name": "nth-check",
            "severity": "high",
            "github_advisory_id": "GHSA-rp65-9cf3-cjxr",
            "cves": [
                "CVE-2021-3803"
            ],
            "access": "public",
            "patched_versions": ">=2.0.1",
            "cvss": {
                "score": 7.5,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "updated": "2023-09-13T21:49:55.000Z",
            "recommendation": "Upgrade to version 2.0.1 or later",
            "cwe": [
                "CWE-1333"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1093882,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
            "created": "2021-09-20T20:47:31.000Z",
            "reported_by": null,
            "title": "Inefficient Regular Expression Complexity in nth-check",
            "npm_advisory_id": null,
            "overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n    var time = Date.now();\n    var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n    try {\n        nthCheck.parse(attack_str) \n    }\n    catch(err) {\n        var time_cost = Date.now() - time;\n        console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n    }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
            "url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
        }
    }
}
{
    "type": "auditAdvisory",
    "data": {
        "resolution": {
            "id": 1094304,
            "path": "react-scripts>resolve-url-loader>postcss",
            "dev": true,
            "optional": false,
            "bundled": false
        },
        "advisory": {
            "findings": [
                {
                    "version": "7.0.39",
                    "paths": [
                        "react-scripts>resolve-url-loader>postcss"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<8.4.31",
            "module_name": "postcss",
            "severity": "moderate",
            "github_advisory_id": "GHSA-7fh5-64p2-3v2j",
            "cves": [
                "CVE-2023-44270"
            ],
            "access": "public",
            "patched_versions": ">=8.4.31",
            "cvss": {
                "score": 5.3,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
            },
            "updated": "2023-10-10T21:32:38.000Z",
            "recommendation": "Upgrade to version 8.4.31 or later",
            "cwe": [
                "CWE-74",
                "CWE-144"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1094304,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
            "created": "2023-09-30T00:31:10.000Z",
            "reported_by": null,
            "title": "PostCSS line return parsing error",
            "npm_advisory_id": null,
            "overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
            "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
        }
    }
}
{
    "type": "auditSummary",
    "data": {
        "vulnerabilities": {
            "info": 0,
            "low": 0,
            "moderate": 2,
            "high": 2,
            "critical": 1
        },
        "dependencies": 150,
        "devDependencies": 1854,
        "optionalDependencies": 0,
        "totalDependencies": 2004
    }
}

Yarn 3.2.2:

yarn npm audit --all --recursive --json > yarn3all.json

{
    "actions": [],
    "advisories": {
        "1092470": {
            "findings": [
                {
                    "version": "4.1.2",
                    "paths": [
                        "cypress>@cypress/request>tough-cookie",
                        "react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
                        "cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<4.1.3",
            "module_name": "tough-cookie",
            "severity": "moderate",
            "github_advisory_id": "GHSA-72xf-g2v4-qvf3",
            "cves": [
                "CVE-2023-26136"
            ],
            "access": "public",
            "patched_versions": ">=4.1.3",
            "cvss": {
                "score": 6.5,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
            },
            "updated": "2023-07-11T13:44:36.000Z",
            "recommendation": "Upgrade to version 4.1.3 or later",
            "cwe": [
                "CWE-1321"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1092470,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
            "created": "2023-07-01T06:30:16.000Z",
            "reported_by": null,
            "title": "tough-cookie Prototype Pollution vulnerability",
            "npm_advisory_id": null,
            "overview": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.",
            "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3"
        },
        "1092971": {
            "findings": [
                {
                    "version": "2.88.11",
                    "paths": [
                        "cypress>@cypress/request"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<=2.88.12",
            "module_name": "@cypress/request",
            "severity": "moderate",
            "github_advisory_id": "GHSA-p8p7-x288-28g6",
            "cves": [
                "CVE-2023-28155"
            ],
            "access": "public",
            "patched_versions": ">=3.0.0",
            "cvss": {
                "score": 6.1,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
            },
            "updated": "2023-08-14T20:53:47.000Z",
            "recommendation": "Upgrade to version 3.0.0 or later",
            "cwe": [
                "CWE-918"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1092971,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
            "created": "2023-03-16T15:30:19.000Z",
            "reported_by": null,
            "title": "Server-Side Request Forgery in Request",
            "npm_advisory_id": null,
            "overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
            "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
        },
        "1093108": {
            "findings": [
                {
                    "version": "1.2.3",
                    "paths": [
                        "eslint>optionator>word-wrap",
                        "@typescript-eslint/parser>eslint>optionator>word-wrap",
                        "@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
                        "eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
                        "react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<1.2.4",
            "module_name": "word-wrap",
            "severity": "moderate",
            "github_advisory_id": "GHSA-j8xg-fqg3-53r7",
            "cves": [
                "CVE-2023-26115"
            ],
            "access": "public",
            "patched_versions": ">=1.2.4",
            "cvss": {
                "score": 5.3,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
            },
            "updated": "2023-08-24T21:37:44.000Z",
            "recommendation": "Upgrade to version 1.2.4 or later",
            "cwe": [
                "CWE-1333"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1093108,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26115\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657\n- https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39\n- https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4\n- https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39\n- https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
            "created": "2023-06-22T06:30:18.000Z",
            "reported_by": null,
            "title": "word-wrap vulnerable to Regular Expression Denial of Service",
            "npm_advisory_id": null,
            "overview": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\n",
            "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7"
        },
        "1093262": {
            "findings": [
                {
                    "version": "5.7.1",
                    "paths": [
                        "@typescript-eslint/eslint-plugin>semver",
                        "@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
                        "@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
                        "eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
                        "react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
                        "cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>semver",
                        "cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>semver",
                        "cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<5.7.2",
            "module_name": "semver",
            "severity": "moderate",
            "github_advisory_id": "GHSA-c2qf-rxjj-qqgw",
            "cves": [
                "CVE-2022-25883"
            ],
            "access": "public",
            "patched_versions": ">=5.7.2",
            "cvss": {
                "score": 5.3,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
            },
            "updated": "2023-09-01T23:43:55.000Z",
            "recommendation": "Upgrade to version 5.7.2 or later",
            "cwe": [
                "CWE-1333"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1093262,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
            "created": "2023-06-21T06:30:28.000Z",
            "reported_by": null,
            "title": "semver vulnerable to Regular Expression Denial of Service",
            "npm_advisory_id": null,
            "overview": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
            "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"
        },
        "1093882": {
            "findings": [
                {
                    "version": "1.0.2",
                    "paths": [
                        "i18next-parser>cheerio>cheerio-select>css-select>nth-check",
                        "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
                        "cra-bundle-analyzer>react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
                        "react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check",
                        "cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<2.0.1",
            "module_name": "nth-check",
            "severity": "high",
            "github_advisory_id": "GHSA-rp65-9cf3-cjxr",
            "cves": [
                "CVE-2021-3803"
            ],
            "access": "public",
            "patched_versions": ">=2.0.1",
            "cvss": {
                "score": 7.5,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
            },
            "updated": "2023-09-13T21:49:55.000Z",
            "recommendation": "Upgrade to version 2.0.1 or later",
            "cwe": [
                "CWE-1333"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1093882,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
            "created": "2021-09-20T20:47:31.000Z",
            "reported_by": null,
            "title": "Inefficient Regular Expression Complexity in nth-check",
            "npm_advisory_id": null,
            "overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n    var time = Date.now();\n    var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n    try {\n        nthCheck.parse(attack_str) \n    }\n    catch(err) {\n        var time_cost = Date.now() - time;\n        console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n    }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
            "url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
        },
        "1094304": {
            "findings": [
                {
                    "version": "7.0.39",
                    "paths": [
                        "react-scripts>postcss",
                        "cra-bundle-analyzer>react-scripts>postcss",
                        "cra-bundle-analyzer>react-scripts>tailwindcss>postcss",
                        "cra-bundle-analyzer>react-scripts>tailwindcss>postcss-import>postcss",
                        "cra-bundle-analyzer>react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss",
                        "cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss",
                        "cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>cssnano-utils>postcss"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<8.4.31",
            "module_name": "postcss",
            "severity": "moderate",
            "github_advisory_id": "GHSA-7fh5-64p2-3v2j",
            "cves": [
                "CVE-2023-44270"
            ],
            "access": "public",
            "patched_versions": ">=8.4.31",
            "cvss": {
                "score": 5.3,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
            },
            "updated": "2023-10-10T21:32:38.000Z",
            "recommendation": "Upgrade to version 8.4.31 or later",
            "cwe": [
                "CWE-74",
                "CWE-144"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1094304,
            "references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
            "created": "2023-09-30T00:31:10.000Z",
            "reported_by": null,
            "title": "PostCSS line return parsing error",
            "npm_advisory_id": null,
            "overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
            "url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
        },
        "1094415": {
            "findings": [
                {
                    "version": "7.21.5",
                    "paths": [
                        "react-scripts>@babel/core>@babel/traverse",
                        "react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
                        "cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/traverse"
                    ]
                }
            ],
            "metadata": null,
            "vulnerable_versions": "<7.23.2",
            "module_name": "@babel/traverse",
            "severity": "critical",
            "github_advisory_id": "GHSA-67hx-6x53-jw92",
            "cves": [
                "CVE-2023-45133"
            ],
            "access": "public",
            "patched_versions": ">=7.23.2",
            "cvss": {
                "score": 9.3,
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
            },
            "updated": "2023-10-20T13:27:09.000Z",
            "recommendation": "Upgrade to version 7.23.2 or later",
            "cwe": [
                "CWE-184"
            ],
            "found_by": null,
            "deleted": null,
            "id": 1094415,
            "references": "- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45133\n- https://github.com/babel/babel/pull/16033\n- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\n- https://github.com/babel/babel/releases/tag/v7.23.2\n- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\n- https://www.debian.org/security/2023/dsa-5528\n- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\n- https://babeljs.io/blog/2023/10/16/cve-2023-45133\n- https://github.com/advisories/GHSA-67hx-6x53-jw92",
            "created": "2023-10-16T13:55:36.000Z",
            "reported_by": null,
            "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
            "npm_advisory_id": null,
            "overview": "### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n  - `@babel/plugin-transform-runtime` v7.23.2\n  - `@babel/preset-env` v7.23.2\n  - `@babel/helper-define-polyfill-provider` v0.4.3\n  - `babel-plugin-polyfill-corejs2` v0.4.6\n  - `babel-plugin-polyfill-corejs3` v0.8.5\n  - `babel-plugin-polyfill-es-shims` v0.10.0\n  - `babel-plugin-polyfill-regenerator` v0.5.3",
            "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92"
        }
    },
    "muted": [],
    "metadata": {
        "vulnerabilities": {
            "info": 0,
            "low": 0,
            "moderate": 43,
            "high": 5,
            "critical": 14
        },
        "dependencies": 1523,
        "devDependencies": 14,
        "optionalDependencies": 0,
        "totalDependencies": 1537
    }
}

The yarn offline didn't work and had another structure.
Files don't have the same structure.
So ODP is not yet compatible with yarn 2 3 for sure, and I guess it's easier in my case, to launch the yarn npm audit by myself and try to integrate it directly to sonarqube.

Thanks a lot for the work on ODP, I hope I'll be able to reuse it in couple of months

PS: I've updated my project dependencies now, so the report is no more usable for bad people 👎

@chadlwilson chadlwilson mentioned this issue Dec 6, 2023
Open
asquelt added a commit to asquelt/lab42 that referenced this issue Dec 14, 2023
@asquelt
temporarly disable yarn analyzer (jeremylong/DependencyCheck/issues/4215
6aad308 
)
@rddesmond
Copy link

rddesmond commented Jan 19, 2024
edited
Loading

I think the solution isn't necessarily that yarn should be friendlier in --offline mode, it's that the error from YarnAuditAnalyzer could be friendlier.

Like @ChrisSamo632, there is an error in the logs. It doesn't pain me to have dependency-checker fail if the item resolved by yarn isn't the one in the yarn.lock, but it would be nice to have that as the error instead of something rather crytic.

That is, instead of what's output to the stdout/stderr now:

[WARN] An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): No value present
[ERROR] 
java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:240)
        ...

Have something like:

[WARN] An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): Couldn't find any versions for \"@probe.gl/env\" that matches \"4.0.1\".
[ERROR] Unable to execute a yarn audit because of a mismatch between the yarn.lock and resolved dependencies.

The full debug log as it's written to disk now:

DEBUG - Launching: [yarn, audit, --offline, --json, --verbose]
2024-01-19 21:41:35,175 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:234
DEBUG - Process Error Out: {"type":"error","data":"Couldn't find any versions for \"@probe.gl/env\" that matches \"4.0.1\" in our cache (possible versions are \"\"). This is usually caused by a missing entry in the lockfile, running Yarn without the --offline flag may help fix this issue."}

2024-01-19 21:41:35,175 org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer:235
DEBUG - Process Out: 
2024-01-19 21:41:35,177 org.owasp.dependencycheck.AnalysisTask:94
WARN  - An unexpected error occurred during analysis of '/src/yarn.lock' (Yarn Audit Analyzer): No value present
2024-01-19 21:41:35,179 org.owasp.dependencycheck.AnalysisTask:96
ERROR - 
java.util.NoSuchElementException: No value present
	at java.base/java.util.Optional.get(Optional.java:143)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:240)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzePackage(YarnAuditAnalyzer.java:280)
	at org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.analyzeDependency(YarnAuditAnalyzer.java:105)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)

@chadlwilson chadlwilson mentioned this issue Jul 11, 2024
Open
@chadlwilson
Copy link
Contributor

Had a look at this, and it seems not so simple to resolve. The error handling is not great, and although relatively easily improved, it's not trivial to correct the real problem.

The old/existing implementation runs yarn audit in --verbose/--offline mode and then scrapes the query that yarn would otherwise make to the npm registry from the output. it is this output query scraping that fails, as it is no longer in the output, even if you correct the flags.

It then uses the same code as for the other analyzer to actually call the npm registry APIs directly, parse the response etc.

There does not seem an equivalent approach that will work with yarn npm audit on Yarn Berry, except to rely on yarn to query the registry instead. It's not really clear to me why the previous implementation worked the way it did, but if the JSON output is the same perhaps it's possible to just reuse the parsed output from the registry while allowing yarn to make the call.

In addition to this, it's probably required to validate this all works with corepack enable and various styles of usage of yarn (e.g the modern approach where it expects you to have the specific yarn version source controlled in .yarn and referred to via a .yarnrc.yml etc).

@chadlwilson chadlwilson mentioned this issue Jul 12, 2024
Open
@jeremylong
Copy link
Owner

Its been a while since I looked at the Yarn implementation - but I believe we intercepted the request to get a complete listing of the dependencies. The results from the API call only contain the vulnerable dependencies.

@chadlwilson
Copy link
Contributor

Ahh ok, interesting, that makes sense. There's probably a different way to get that now, via yarn info --recursive --json but haven't really looked into it as it's not a command I regularly use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JustMehmet JustMehmet

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests