Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

monorepo-symlink-test GHSA-2jcg-qqmg-46q6 Vulnerability #303

Closed
castafab opened this issue May 26, 2023 · 9 comments
Closed

monorepo-symlink-test GHSA-2jcg-qqmg-46q6 Vulnerability #303

castafab opened this issue May 26, 2023 · 9 comments

Comments

@castafab
Copy link

Hi , using the grype Scan Vulnerabilities tool was possible to detect a vulnerability in one of the dependencies that are used by you.

That dependency is in a package.json file inside of the rest->resolver->multirepo->package.json in the node_module from the resolve library.

This dependency that contains the vulnerability is the monorepo-symlink-test which was also already removed from the npm library (https://www.npmjs.com/search?q=symlink-test) you can check the readme on that page that was removed because contains malicious code.

Do you have some predictions to remove this dependency from your list of dependencies?
@mferreira3
Copy link

I'm having the same issue, would be glad if someone could take a look on this considering the severity of it 😕

@ljharb
Copy link
Member

ljharb commented May 26, 2023
edited
Loading

This is not a vulnerability, full stop. This is test code that is never used in production.

In fact, this package isn't even the same package as monorepo-symlink-test, that's just what i named it - it has private: true so it can't even be published.

So, your vulnerability scanner has broken heuristics, and I wouldn't trust its results.

Duplicate of #288. Duplicate of #291.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale May 26, 2023
@saintmalik
Copy link

i think this a false positive scan result from the grype scanner

@ljharb
Copy link
Member

ljharb commented May 31, 2023

Yes, it absolutely is, and it should give you serious pause about relying on that scanner.

@mfrye-aisera
Copy link

We just were alerted about this as well. I'm not sure which scanner found this, but it was passed around the company until this landed in my inbox.

I reviewed the other issues and understand the background here. If it's just the module name, maybe it would be good to change it to avoid any confusion. Otherwise, this will probably be a non-stop stream of enterprises that discover this and want to know what's going on.

@saintmalik

This comment was marked as spam.

Sign in to view
@ljharb
Copy link
Member

ljharb commented May 31, 2023

@mfrye-aisera i could, but then people wouldn't discover that their "security scanner" fails to understand the semantics of the ecosystem it's trying to secure.

@mfrye-aisera
Copy link

@ljharb totally agree. I'm not a fan of our security scanner as I've already it found that it missed other more important stuff. I've already flagged this internally as not an issue, so I think we're good here.

My comment was more for you, as I assume you're going to be continually annoyed with requests about this as orgs slowly discover the issue. So the easiest fix is to just change the name of the module, right?

@ljharb
Copy link
Member

ljharb commented May 31, 2023

thanks, i appreciate your concern :-) i'll keep it this way for the time being, but certainly would rename it if it ever exceeds my tolerance for such things.

This was referenced Jun 14, 2023
Closed
Closed
@ljharb ljharb mentioned this issue Jun 21, 2023
Closed
This was referenced Sep 1, 2023
Closed
Closed
Closed
Closed
@ljharb ljharb mentioned this issue Sep 8, 2023
Closed
This was referenced Sep 18, 2023
Closed
Closed
@whyayala whyayala mentioned this issue Oct 5, 2023
Open
ljharb added a commit that referenced this issue Oct 10, 2023
@ljharb
[Tests] avoid publishing "malformed package.json" test to avoid flawe…
9e6f936 
…d security scanners

Fixes #319.
Fixes #318.
Fixes #317.
Fixes #314.
Closes #313.
Fixes #312.
Fixes #311.
Fixes #310.
Fixes #309.
Fixes #306.
Fixes #305.
Fixes #304.
Fixes #303.
Fixes #291.
Fixes #288.
ljharb added a commit that referenced this issue Oct 10, 2023
@ljharb
[Tests] rename innocent test project to avoid flawed security scanners
bce4768 
    Fixes #319.
    Fixes #318.
    Fixes #317.
    Fixes #314.
    Closes #313.
    Fixes #312.
    Fixes #311.
    Fixes #310.
    Fixes #309.
    Fixes #306.
    Fixes #305.
    Fixes #304.
    Fixes #303.
    Fixes #291.
    Fixes #288.
ljharb added a commit that referenced this issue Oct 10, 2023
@ljharb
[Tests] rename innocent test project to avoid flawed security scanners
c24f451 
    Fixes #319.
    Fixes #318.
    Fixes #317.
    Fixes #314.
    Closes #313.
    Fixes #312.
    Fixes #311.
    Fixes #310.
    Fixes #309.
    Fixes #306.
    Fixes #305.
    Fixes #304.
    Fixes #303.
    Fixes #291.
    Fixes #288.
@margueriteblair margueriteblair mentioned this issue Nov 13, 2023
Closed
@xnox xnox mentioned this issue Jul 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ljharb @saintmalik @castafab @mferreira3 @mfrye-aisera