-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yarn audit analyzer #4215
Comments
Your report is missing key information for debugging and/or analysis. Please use the issue template provided. |
I've got exactly the same issue on the version 7.0.0... |
Hi, got exactly the same issue. Version of dependency-check used Log file
To Reproduce
This module contains the web app under Now when I run
Expected behavior Additional context The warning in the logs
If I run Path to yarn The yarn version
|
I have the same issue with yarn 2 lockfile. Is yarn 2 (berry) already supported? |
What I understand is, that it has nothing todo with the lockfile. It tries to read the generated audit file from yarn and it should contain `Audit Request". Possible issue:
So I run the In my usecase the output was not expected.
One dependency is invalid. (after running So dependency check is running in offline mode and it requires that packages are downloaded already. |
According to https://stackoverflow.com/a/63599370/535203 , one should now use |
@anthony-o did you perform |
In my GitLab pipeline I was having the same problem and solved it by setting the yarn cache path to the current directory using |
It looks like, to resolve this we need to wait for a solution for the gradle plugin org.owasp.dependencycheck and till we have a solution we need to add the following setting to our build.gradle configuration : dependencyCheck { WARNING: This will disable yarn dependency check and if you are using yarn not for tests such as functional tests etc. your code may have vulnerabilities. There are some other dependency check plugins but they are not as good as this one. |
Hello, any news regarding this issue? |
@JustMehmet Any updates here? |
Hello, are there any chances what it will be fixed in near future? |
With
Executing Our So this appears to be a problem with I guess either |
with yarn 3
gives me : ......."dependencies":1523,"devDependencies":14,"optionalDependencies":0,"totalDependencies":1537} Can we launch the audit by ourself, and then tells ODC to analyse our audit to avoid errors ? |
I've launch the following audit command on my project : Yarn 1.22.19:
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1092971,
"path": "cypress>@cypress/request",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "2.88.12",
"paths": [
"cypress>@cypress/request"
]
}
],
"metadata": null,
"vulnerable_versions": "<=2.88.12",
"module_name": "@cypress/request",
"severity": "moderate",
"github_advisory_id": "GHSA-p8p7-x288-28g6",
"cves": [
"CVE-2023-28155"
],
"access": "public",
"patched_versions": ">=3.0.0",
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"updated": "2023-08-14T20:53:47.000Z",
"recommendation": "Upgrade to version 3.0.0 or later",
"cwe": [
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1092971,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
"created": "2023-03-16T15:30:19.000Z",
"reported_by": null,
"title": "Server-Side Request Forgery in Request",
"npm_advisory_id": null,
"overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1089270,
"path": "cra-bundle-analyzer>webpack-bundle-analyzer>ejs",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "2.7.4",
"paths": [
"cra-bundle-analyzer>webpack-bundle-analyzer>ejs"
]
}
],
"metadata": null,
"vulnerable_versions": "<3.1.7",
"module_name": "ejs",
"severity": "critical",
"github_advisory_id": "GHSA-phwq-j96m-2c2q",
"cves": [
"CVE-2022-29078"
],
"access": "public",
"patched_versions": ">=3.1.7",
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"updated": "2023-01-30T05:02:57.000Z",
"recommendation": "Upgrade to version 3.1.7 or later",
"cwe": [
"CWE-74"
],
"found_by": null,
"deleted": null,
"id": 1089270,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q",
"created": "2022-04-26T00:00:40.000Z",
"reported_by": null,
"title": "ejs template injection vulnerability",
"npm_advisory_id": null,
"overview": "The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).",
"url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1091181,
"path": "gulp>glob-watcher>chokidar>glob-parent",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "3.1.0",
"paths": [
"gulp>glob-watcher>chokidar>glob-parent"
]
}
],
"metadata": null,
"vulnerable_versions": "<5.1.2",
"module_name": "glob-parent",
"severity": "high",
"github_advisory_id": "GHSA-ww39-953v-wcq6",
"cves": [
"CVE-2020-28469"
],
"access": "public",
"patched_versions": ">=5.1.2",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-02-28T22:39:43.000Z",
"recommendation": "Upgrade to version 5.1.2 or later",
"cwe": [
"CWE-400"
],
"found_by": null,
"deleted": null,
"id": 1091181,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6",
"created": "2021-06-07T21:56:34.000Z",
"reported_by": null,
"title": "glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex",
"npm_advisory_id": null,
"overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.",
"url": "https://github.com/advisories/GHSA-ww39-953v-wcq6"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1093882,
"path": "react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "1.0.2",
"paths": [
"react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-09-13T21:49:55.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093882,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
}
}
}
{
"type": "auditAdvisory",
"data": {
"resolution": {
"id": 1094304,
"path": "react-scripts>resolve-url-loader>postcss",
"dev": true,
"optional": false,
"bundled": false
},
"advisory": {
"findings": [
{
"version": "7.0.39",
"paths": [
"react-scripts>resolve-url-loader>postcss"
]
}
],
"metadata": null,
"vulnerable_versions": "<8.4.31",
"module_name": "postcss",
"severity": "moderate",
"github_advisory_id": "GHSA-7fh5-64p2-3v2j",
"cves": [
"CVE-2023-44270"
],
"access": "public",
"patched_versions": ">=8.4.31",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"updated": "2023-10-10T21:32:38.000Z",
"recommendation": "Upgrade to version 8.4.31 or later",
"cwe": [
"CWE-74",
"CWE-144"
],
"found_by": null,
"deleted": null,
"id": 1094304,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"created": "2023-09-30T00:31:10.000Z",
"reported_by": null,
"title": "PostCSS line return parsing error",
"npm_advisory_id": null,
"overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
}
}
}
{
"type": "auditSummary",
"data": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 2,
"high": 2,
"critical": 1
},
"dependencies": 150,
"devDependencies": 1854,
"optionalDependencies": 0,
"totalDependencies": 2004
}
} Yarn 3.2.2:
{
"actions": [],
"advisories": {
"1092470": {
"findings": [
{
"version": "4.1.2",
"paths": [
"cypress>@cypress/request>tough-cookie",
"react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>tough-cookie",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"
]
}
],
"metadata": null,
"vulnerable_versions": "<4.1.3",
"module_name": "tough-cookie",
"severity": "moderate",
"github_advisory_id": "GHSA-72xf-g2v4-qvf3",
"cves": [
"CVE-2023-26136"
],
"access": "public",
"patched_versions": ">=4.1.3",
"cvss": {
"score": 6.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
"updated": "2023-07-11T13:44:36.000Z",
"recommendation": "Upgrade to version 4.1.3 or later",
"cwe": [
"CWE-1321"
],
"found_by": null,
"deleted": null,
"id": 1092470,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3",
"created": "2023-07-01T06:30:16.000Z",
"reported_by": null,
"title": "tough-cookie Prototype Pollution vulnerability",
"npm_advisory_id": null,
"overview": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.",
"url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3"
},
"1092971": {
"findings": [
{
"version": "2.88.11",
"paths": [
"cypress>@cypress/request"
]
}
],
"metadata": null,
"vulnerable_versions": "<=2.88.12",
"module_name": "@cypress/request",
"severity": "moderate",
"github_advisory_id": "GHSA-p8p7-x288-28g6",
"cves": [
"CVE-2023-28155"
],
"access": "public",
"patched_versions": ">=3.0.0",
"cvss": {
"score": 6.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
"updated": "2023-08-14T20:53:47.000Z",
"recommendation": "Upgrade to version 3.0.0 or later",
"cwe": [
"CWE-918"
],
"found_by": null,
"deleted": null,
"id": 1092971,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6",
"created": "2023-03-16T15:30:19.000Z",
"reported_by": null,
"title": "Server-Side Request Forgery in Request",
"npm_advisory_id": null,
"overview": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.",
"url": "https://github.com/advisories/GHSA-p8p7-x288-28g6"
},
"1093108": {
"findings": [
{
"version": "1.2.3",
"paths": [
"eslint>optionator>word-wrap",
"@typescript-eslint/parser>eslint>optionator>word-wrap",
"@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>eslint>@eslint-community/eslint-utils>eslint>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>escodegen>optionator>word-wrap"
]
}
],
"metadata": null,
"vulnerable_versions": "<1.2.4",
"module_name": "word-wrap",
"severity": "moderate",
"github_advisory_id": "GHSA-j8xg-fqg3-53r7",
"cves": [
"CVE-2023-26115"
],
"access": "public",
"patched_versions": ">=1.2.4",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"updated": "2023-08-24T21:37:44.000Z",
"recommendation": "Upgrade to version 1.2.4 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093108,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-26115\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657\n- https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39\n- https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4\n- https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e\n- https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39\n- https://github.com/advisories/GHSA-j8xg-fqg3-53r7",
"created": "2023-06-22T06:30:18.000Z",
"reported_by": null,
"title": "word-wrap vulnerable to Regular Expression Denial of Service",
"npm_advisory_id": null,
"overview": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\n",
"url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7"
},
"1093262": {
"findings": [
{
"version": "5.7.1",
"paths": [
"@typescript-eslint/eslint-plugin>semver",
"@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"eslint-config-airbnb-typescript>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/parser>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>eslint-config-react-app>eslint-plugin-jest>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>semver",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-resolve>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>@npmcli/fs>semver"
]
}
],
"metadata": null,
"vulnerable_versions": "<5.7.2",
"module_name": "semver",
"severity": "moderate",
"github_advisory_id": "GHSA-c2qf-rxjj-qqgw",
"cves": [
"CVE-2022-25883"
],
"access": "public",
"patched_versions": ">=5.7.2",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"updated": "2023-09-01T23:43:55.000Z",
"recommendation": "Upgrade to version 5.7.2 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093262,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
"created": "2023-06-21T06:30:28.000Z",
"reported_by": null,
"title": "semver vulnerable to Regular Expression Denial of Service",
"npm_advisory_id": null,
"overview": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"
},
"1093882": {
"findings": [
{
"version": "1.0.2",
"paths": [
"i18next-parser>cheerio>cheerio-select>css-select>nth-check",
"react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check",
"react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-svgo>svgo>css-select>nth-check"
]
}
],
"metadata": null,
"vulnerable_versions": "<2.0.1",
"module_name": "nth-check",
"severity": "high",
"github_advisory_id": "GHSA-rp65-9cf3-cjxr",
"cves": [
"CVE-2021-3803"
],
"access": "public",
"patched_versions": ">=2.0.1",
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"updated": "2023-09-13T21:49:55.000Z",
"recommendation": "Upgrade to version 2.0.1 or later",
"cwe": [
"CWE-1333"
],
"found_by": null,
"deleted": null,
"id": 1093882,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
"created": "2021-09-20T20:47:31.000Z",
"reported_by": null,
"title": "Inefficient Regular Expression Complexity in nth-check",
"npm_advisory_id": null,
"overview": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i <= 50000; i++) {\n var time = Date.now();\n var attack_str = '2n' + ' '.repeat(i*10000)+\"!\";\n try {\n nthCheck.parse(attack_str) \n }\n catch(err) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
"url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
},
"1094304": {
"findings": [
{
"version": "7.0.39",
"paths": [
"react-scripts>postcss",
"cra-bundle-analyzer>react-scripts>postcss",
"cra-bundle-analyzer>react-scripts>tailwindcss>postcss",
"cra-bundle-analyzer>react-scripts>tailwindcss>postcss-import>postcss",
"cra-bundle-analyzer>react-scripts>css-loader>postcss-modules-local-by-default>icss-utils>postcss",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>css-declaration-sorter>postcss",
"cra-bundle-analyzer>react-scripts>css-minimizer-webpack-plugin>cssnano>cssnano-preset-default>postcss-merge-rules>cssnano-utils>postcss"
]
}
],
"metadata": null,
"vulnerable_versions": "<8.4.31",
"module_name": "postcss",
"severity": "moderate",
"github_advisory_id": "GHSA-7fh5-64p2-3v2j",
"cves": [
"CVE-2023-44270"
],
"access": "public",
"patched_versions": ">=8.4.31",
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
},
"updated": "2023-10-10T21:32:38.000Z",
"recommendation": "Upgrade to version 8.4.31 or later",
"cwe": [
"CWE-74",
"CWE-144"
],
"found_by": null,
"deleted": null,
"id": 1094304,
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-44270\n- https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\n- https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\n- https://github.com/postcss/postcss/releases/tag/8.4.31\n- https://github.com/github/advisory-database/issues/2820\n- https://github.com/advisories/GHSA-7fh5-64p2-3v2j",
"created": "2023-09-30T00:31:10.000Z",
"reported_by": null,
"title": "PostCSS line return parsing error",
"npm_advisory_id": null,
"overview": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.",
"url": "https://github.com/advisories/GHSA-7fh5-64p2-3v2j"
},
"1094415": {
"findings": [
{
"version": "7.21.5",
"paths": [
"react-scripts>@babel/core>@babel/traverse",
"react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@svgr/webpack>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-compilation-targets>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>babel-jest>babel-preset-jest>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>babel-preset-current-node-syntax>@babel/plugin-syntax-optional-chaining>@babel/core>@babel/helper-module-transforms>@babel/traverse",
"cra-bundle-analyzer>react-scripts>jest-watch-typeahead>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>@babel/helper-module-transforms>@babel/traverse"
]
}
],
"metadata": null,
"vulnerable_versions": "<7.23.2",
"module_name": "@babel/traverse",
"severity": "critical",
"github_advisory_id": "GHSA-67hx-6x53-jw92",
"cves": [
"CVE-2023-45133"
],
"access": "public",
"patched_versions": ">=7.23.2",
"cvss": {
"score": 9.3,
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
"updated": "2023-10-20T13:27:09.000Z",
"recommendation": "Upgrade to version 7.23.2 or later",
"cwe": [
"CWE-184"
],
"found_by": null,
"deleted": null,
"id": 1094415,
"references": "- https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\n- https://nvd.nist.gov/vuln/detail/CVE-2023-45133\n- https://github.com/babel/babel/pull/16033\n- https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\n- https://github.com/babel/babel/releases/tag/v7.23.2\n- https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\n- https://www.debian.org/security/2023/dsa-5528\n- https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\n- https://babeljs.io/blog/2023/10/16/cve-2023-45133\n- https://github.com/advisories/GHSA-67hx-6x53-jw92",
"created": "2023-10-16T13:55:36.000Z",
"reported_by": null,
"title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
"npm_advisory_id": null,
"overview": "### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` >=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n - `@babel/plugin-transform-runtime` v7.23.2\n - `@babel/preset-env` v7.23.2\n - `@babel/helper-define-polyfill-provider` v0.4.3\n - `babel-plugin-polyfill-corejs2` v0.4.6\n - `babel-plugin-polyfill-corejs3` v0.8.5\n - `babel-plugin-polyfill-es-shims` v0.10.0\n - `babel-plugin-polyfill-regenerator` v0.5.3",
"url": "https://github.com/advisories/GHSA-67hx-6x53-jw92"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 43,
"high": 5,
"critical": 14
},
"dependencies": 1523,
"devDependencies": 14,
"optionalDependencies": 0,
"totalDependencies": 1537
}
} The yarn offline didn't work and had another structure. Thanks a lot for the work on ODP, I hope I'll be able to reuse it in couple of months PS: I've updated my project dependencies now, so the report is no more usable for bad people 👎 |
I think the solution isn't necessarily that yarn should be friendlier in Like @ChrisSamo632, there is an error in the logs. It doesn't pain me to have dependency-checker fail if the item resolved by yarn isn't the one in the yarn.lock, but it would be nice to have that as the error instead of something rather crytic. That is, instead of what's output to the stdout/stderr now:
Have something like:
The full debug log as it's written to disk now:
|
Had a look at this, and it seems not so simple to resolve. The error handling is not great, and although relatively easily improved, it's not trivial to correct the real problem. The old/existing implementation runs It then uses the same code as for the other analyzer to actually call the npm registry APIs directly, parse the response etc. There does not seem an equivalent approach that will work with In addition to this, it's probably required to validate this all works with |
Its been a while since I looked at the Yarn implementation - but I believe we intercepted the request to get a complete listing of the dependencies. The results from the API call only contain the vulnerable dependencies. |
Ahh ok, interesting, that makes sense. There's probably a different way to get that now, via |
Describe the bug
When analyzing projects with a yarn.lock file:
"java.util.NoSuchElementException: No value present" occurs at "org.owasp.dependencycheck.analyzer.YarnAuditAnalyzer.fetchYarnAuditJson(YarnAuditAnalyzer.java:244)"
Version of dependency-check used
The problem occurs using version 6.5.2 of the cli
Expected behavior
Finished Yarn Audit Analyzer
The text was updated successfully, but these errors were encountered: