v32.5.2 (Security Release)
Security
This release addresses the security issue detailed below. We encourage all users of ScanCode.io to upgrade as soon as possible.
- GHSA-6xcx-gx7r-rccj: Reflected Cross-Site Scripting (XSS) in license endpoint
Thelicense_details_view
function was subject to cross-site scripting (XSS)
attack due to inadequate validation and sanitization of the key parameter.
The license views were migrated class-based views are the inputs are now properly
sanitized.
Credit to @0xmpij for reporting the vulnerability.
What's Changed
- Add JavaScript colocation mapping step in d2d pipeline by @keshav-space in #803
- Migrate license views to CBV and main UI #847 by @tdruez in #849
- Remove the subprocess need in the scan_package pipeline #798 by @tdruez in #855
- Security checks #850 by @tdruez in #851
Full Changelog: v32.5.1...v32.5.2