Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability on json-logic-js@2.0.1 dependency of formiojs #4181

Closed
cuneytdev opened this issue Jul 2, 2021 · 5 comments
Closed

Vulnerability on json-logic-js@2.0.1 dependency of formiojs #4181

cuneytdev opened this issue Jul 2, 2021 · 5 comments

Comments

@cuneytdev
Copy link

Hello, when my project is scanned via fortify software security center, it detects vulnerability like the following dependency json-logic-js of formiojs;

Vulnerability Description : The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

json-logic-js version: 2.0.1
formio version: 4.12.7
@formio/angular version: 5.1.1
frameweork: Angular

Thanks.

@cmcortez
Copy link

cmcortez commented Jul 6, 2021

Hello,

Thank you for taking the time to report this to us. We are unable to identify any listed vulnerabilities against that package. Are you able to provide a link to the CVE? Please note this is also a 100% optional feature. There is no significant loss of functionality from avoiding its usage.

@cuneytdev
Copy link
Author

Sorry for cannot sharing the link. This is scanned in our local Fortify Security Center servers but here is the description.

json-logic-js_vulnerability

Thanks for your attention.

@airarrazaval
Copy link
Contributor

@cmcortez here is the npm audit (although it is triggered from the formio/formio-service package which uses formiojs@2.32.2)

image

On a clean install this is the only warnings coming from the latest formiojs package:

image

Directly installing json-logic-js@2.0.1 doe not throw an npm alert neither:

image

@cuneytdalan have you checked if you are using an older version of formio.js (maybe you have an outdated package-lock.json file referencing to an older json-logic-js package).

For more information check https://snyk.io/advisor/npm-package/json-logic-js

@cuneytdev
Copy link
Author

Hello, @airarrazaval,

Currently using;

formiojs: 4.13.3
@formio/angular: 5.1.1
json-logic-js: 2.0.1

Having the vulnerabiliy on comment: #4181 (comment)

Also i think the 3rd party library of json-logic-js is not being maintained enough because i opened this issue there with the link jwadhams/json-logic-js#101 (comment) and they haven't answered me yet. So maybe it would be better the replace json-logic-js lib with another library.

Thanks,
Cüneyt.

@olgabann
Copy link

We're currently addressing a backlog of GitHub issues. Closing this thread as it is outdated. Please re-open if it is still relevant. Thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants