Skip to content

Fix security issues for snyk result#33

Open
jisoolee wants to merge 1 commit into
krg7880:masterfrom
jisoolee:security_update
Open

Fix security issues for snyk result#33
jisoolee wants to merge 1 commit into
krg7880:masterfrom
jisoolee:security_update

Conversation

@jisoolee

Copy link
Copy Markdown

ref #31
ref #32

@jisoolee

Copy link
Copy Markdown
Author

@kirk7880 @krg7880
Could you take a look at my PR? Thank you for your time.

This will fix a number of snyk result

Current snyk result

High sev: 7
Medium sev: 8

JISOOs-MacBook-Pro:json-schema-generator jisoolee@ca.ibm.com$ snyk test

Testing /Users/jisoolee@ca.ibm.com/develop/json-schema-generator...

Tested 74 dependencies for known issues, found 15 issues, 19 vulnerable paths.


Issues to fix by upgrading:

  Upgrade mkdirp@0.5.1 to mkdirp@0.5.2 to fix
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in minimist@0.0.8
    introduced by mkdirp@0.5.1 > minimist@0.0.8 and 1 other path(s)

  Upgrade request@2.83.0 to request@2.88.0 to fix
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-AJV-584908] in ajv@5.2.3
    introduced by request@2.83.0 > har-validator@5.0.3 > ajv@5.2.3


Patchable issues:

  Patch available for extend@3.0.1
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/npm:extend:20180424] in extend@3.0.1
    introduced by request@2.83.0 > extend@3.0.1

  Patch available for hoek@4.2.0
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/npm:hoek:20180212] in hoek@4.2.0
    introduced by request@2.83.0 > hawk@6.0.2 > hoek@4.2.0 and 3 other path(s)

  Patch available for lodash@3.10.1
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/npm:lodash:20180130] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1

  Patch available for stringstream@0.0.5
  ✗ Uninitialized Memory Exposure [Medium Severity][https://snyk.io/vuln/npm:stringstream:20180511] in stringstream@0.0.5
    introduced by request@2.83.0 > stringstream@0.0.5


Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1
  This issue was fixed in versions: 4.17.12
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-567746] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1
  This issue was fixed in versions: 4.17.16
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-590103] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1
  This issue was fixed in versions: 4.17.20
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1
  This issue was fixed in versions: 4.17.17
  ✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1
  This issue was fixed in versions: 4.17.11
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-LODASH-73639] in lodash@3.10.1
    introduced by dox@0.9.0 > jsdoctypeparser@1.2.0 > lodash@3.10.1
  This issue was fixed in versions: 4.17.11
  ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-MARKDOWNIT-459438] in markdown-it@9.0.1
    introduced by dox@0.9.0 > markdown-it@9.0.1
  This issue was fixed in versions: 10.0.0
  ✗ Insecure Randomness [Medium Severity][https://snyk.io/vuln/npm:cryptiles:20180710] in cryptiles@3.1.2
    introduced by request@2.83.0 > hawk@6.0.2 > cryptiles@3.1.2
  This issue was fixed in versions: 3.1.3, 4.1.2
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/npm:sshpk:20180409] in sshpk@1.13.1
    introduced by request@2.83.0 > http-signature@1.2.0 > sshpk@1.13.1
  This issue was fixed in versions: 1.14.1



Organization:      jisoolee
Package manager:   npm
Target file:       package.json
Project name:      json-schema-generator
Open source:       no
Project path:      /Users/jisoolee@ca.ibm.com/develop/json-schema-generator
Licenses:          enabled

Run `snyk wizard` to address these issues.

After my PR snyk result

Medium sev: 1

JISOOs-MacBook-Pro:json-schema-generator jisoolee@ca.ibm.com$ snyk test

Testing /Users/jisoolee@ca.ibm.com/develop/json-schema-generator...

Tested 55 dependencies for known issues, found 1 issue, 1 vulnerable path.


Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in minimist@0.0.10
    introduced by optimist@0.6.1 > minimist@0.0.10
  This issue was fixed in versions: 0.2.1, 1.2.3



Organization:      jisoolee
Package manager:   npm
Target file:       package-lock.json
Project name:      json-schema-generator
Open source:       no
Project path:      /Users/jisoolee@ca.ibm.com/develop/json-schema-generator
Licenses:          enabled

Run `snyk wizard` to address these issues.

Thank you in advance.

@jisoolee

Copy link
Copy Markdown
Author

And could you release a new version after this is merged? Thank you in advance 🙇

@jisoolee

Copy link
Copy Markdown
Author

@kirk7880 @krg7880 Is there any news for this? Thank you for your time.

@jisoolee

Copy link
Copy Markdown
Author

@kirk7880 @krg7880 Could you please take a look at this PR?

@jisoolee

Copy link
Copy Markdown
Author

@kirk7880 @krg7880 Any news for this?

@jisoolee

Copy link
Copy Markdown
Author

I guess I have to update some dependencies for this..

@jisoolee

Copy link
Copy Markdown
Author

@kirk7880 @krg7880 Could you take a look at this? This PR will resolve many snyk issues.

@jisoolee

Copy link
Copy Markdown
Author

Hello @kirk7880 @krg7880 , is there any updates?

@jisoolee

Copy link
Copy Markdown
Author

Hi @kirk7880 @krg7880 , could you take a look at this PR?

@jisoolee

jisoolee commented Feb 8, 2021

Copy link
Copy Markdown
Author

Hi @kirk7880 @krg7880 , could you please update this? There are High Severity issues which could be fixed by this update.

@jisoolee

Copy link
Copy Markdown
Author

Hello, @kirk7880 @krg7880 . Could you take a look at this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant