-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
highlight-words libray is giving Math.random vunerbility scan as high #34
Comments
#35 , can you apply this pull request it if you are ok with it or fix like you wanted |
Sir can you please look the pr I created |
Hi @shajithomas32! Thanks for taking a look at this. I don't really see the security issue though. The I'd say...if this is the only security problem with your app, then you're doing better than 99% of the apps out there. Congrats! For us, the overhead of using crypto isn't worth it. Seeing how you've PRed already, it means you can already use your code in your app if you so choose. To do this, you can make use of npm overrides, as documented here. Essentially, do this:
So no matter what your dependencies use, you'll pull in your code. |
Thanks for your time , we were using material react table and it was using
hilight words . Material react table author said he can adjust material
react table if you update in your side . Only high warning we got was from
material react table was this only,other than that scam was clean . Fortify
scan was done by our company,attached is the scan result . Even using
material react table I can use this override to get the pr copy when
building ?.;See the conversation thread with material react table author
{
"overrides": {
"highlight-words": "git://github.com/shajithomas32/highlight-words.git"
}
KevinVandy/material-react-table#950
…On Mon, Jan 22, 2024, 2:28 AM Bogdan Lazar ***@***.***> wrote:
Closed #34 <#34> as
completed.
—
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5NPQVVINPF33WDLMUTQXBDYPYILNAVCNFSM6AAAAABCCUBNSSVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRGU2TENZVGA2TGMI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Yes, that's what overrides does. |
Thanks for your work around solution suggestion. But you can consider this request in future because it help us with the scan paper work. We got this scan result from fortify scan. Recommend highly to do scans because companies are strict with scan results even though scan results don't make sense in this case |
highlight-words library is giving Math.random vulnerability scan as high, can we please fix it soon and get a new version
That probably means you (or a plugin you are using) is using the JS native Math.random() which has been deemed insecure. You can replace those functions with the latest JS crypto stuff here: https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues
We are using Material-React-Table, and this is the only high warning we got because highlight-words is used by Material-React-Table. No other libraries used by Material-React-Table gave any warning. That probably means you (or a plugin you are using) is using the JS native Math.random() which has been deemed insecure. You can replace those functions with the latest JS crypto stuff here as a recommendation. What you commented makes sense, but if you can replace Math.random(), it will make our scan clean. We mentioned it only because this is the only warning we got when using Material-React-Table and sometimes companies refuse to use it just because of the warning even though its not anything significant. See the attached screenshot.
The text was updated successfully, but these errors were encountered: