Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Snyk reported vulnerabilities #609

Closed
nilsbeuth opened this issue Nov 30, 2020 · 6 comments · Fixed by #617
Closed

Address Snyk reported vulnerabilities #609

nilsbeuth opened this issue Nov 30, 2020 · 6 comments · Fixed by #617
Assignees
@pinussilvestrus
Labels
bug Something isn't working

Comments

@nilsbeuth
Copy link

nilsbeuth commented Nov 30, 2020
edited
Loading

Describe the Bug

Hi. We're experimenting with your dmn.js open source library. It looks like a super way of exposing Decisions in our application.

However, we also use https://snyk.io/ -- which helps us ensure we only use libraries that are secure.

The dmn-js library (dmn-js@9.4.0) failed our integration tests, on two counts.

  1. "Prototype Pollution". "Affected versions of this package are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload".

  2. "Denial of Service". "Affected versions of this package are vulnerable to Denial of Service. Node Fetch did not honor the size option after following a redirect".

After an initial investigation, our web developer informs me that the vulnerabilities are not within dmn-js, but within other libraries nested within.

Wondering whether there are any plans/intentions to resolve these?

Thanks

image

image

Steps to Reproduce

Connect Snyk to an application that uses the dmn-js library.

Expected Behavior

No vulnerabilities reported by snyk.

Environment

  • Library version: 9.4.0
@nilsbeuth nilsbeuth added the bug Something isn't working label Nov 30, 2020
@pinussilvestrus
Copy link
Contributor

Thanks for reporting! 👍
We will discuss internally how to approach the security vulnerabilities and then come back to you.

pinussilvestrus pushed a commit that referenced this issue Nov 30, 2020
fix: solve audit errors
4c8e16b 
* executed `npm audit fix`

Related to #609
@pinussilvestrus pinussilvestrus mentioned this issue Nov 30, 2020
Closed
9 tasks
@pinussilvestrus pinussilvestrus changed the title Synk Vulnerabilities Snyk Vulnerabilities Nov 30, 2020
pinussilvestrus pushed a commit that referenced this issue Nov 30, 2020
fix: solve audit errors
68d5030 
* executed `npm audit fix`

Related to #609
@nikku
Copy link
Member

nikku commented Nov 30, 2020

After an initial investigation, our web developer informs me that the vulnerabilities are not within dmn-js, but within other libraries nested within.

For a tool such as dmn-js we gotta distinguish two kind of dependencies: development and production. From what I see both, node-fetch as well as minimist are dependencies during development only.

How do development dependencies impact your usage of dmn-js?

@nikku
Copy link
Member

nikku commented Dec 1, 2020

Reproduce without snyk:

❯ (cd packages/dmn-js-shared && npm i --package-lock-only && npm audit)
npm WARN deprecated core-js@2.6.12: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm notice created a lockfile as package-lock.json. You should commit this file.
added 78 packages and audited 81 packages in 3.257s
found 2 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install inferno@7.4.6  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ inferno                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ inferno > opencollective > minimist                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-fetch                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ inferno                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ inferno > opencollective > node-fetch                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1556                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 2 low severity vulnerabilities in 81 scanned packages
  2 vulnerabilities require semver-major dependency updates.

@nikku
Copy link
Member

nikku commented Dec 1, 2020

We do not have any immediate plans to resolve these issues.

@nikku
Copy link
Member

nikku commented Dec 1, 2020

The fix is not a simple and straight forward one.

@nikku nikku added the backlog Queued in backlog label Dec 1, 2020
@nikku nikku changed the title Snyk Vulnerabilities Address Snyk reported vulnerabilities Dec 1, 2020
@nilsbeuth
Copy link
Author

Thanks @nikku for your promt and detailed response. Our web devs will see what they can do to sidestep the vulnerabilities - and if we can't we'll likely have to find another way to render decisions.

@pinussilvestrus pinussilvestrus mentioned this issue Jan 7, 2021
Closed
@pinussilvestrus pinussilvestrus self-assigned this Jan 7, 2021
@pinussilvestrus pinussilvestrus added in progress Currently worked on and removed backlog Queued in backlog labels Jan 7, 2021
@pinussilvestrus pinussilvestrus mentioned this issue Jan 12, 2021
Merged
9 tasks
pinussilvestrus pushed a commit that referenced this issue Jan 13, 2021
chore: bump inferno version
58b7354 
Closes #609
@pinussilvestrus pinussilvestrus mentioned this issue Jan 13, 2021
Merged
9 tasks
@bpmn-io-tasks bpmn-io-tasks bot added needs review Review pending and removed in progress Currently worked on labels Jan 13, 2021
@bpmn-io-tasks bpmn-io-tasks bot removed the needs review Review pending label Jan 13, 2021
nikku pushed a commit that referenced this issue Jan 13, 2021
@nikku
chore: bump inferno version
e71223c 
Closes #609
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pinussilvestrus pinussilvestrus

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: bump inferno version bpmn-io/dmn-js
3 participants
@nikku @pinussilvestrus @nilsbeuth