WIP but move to formatters #180
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ButterB0wl
approved these changes
Mar 3, 2020
There was a problem hiding this comment.
xml output for quiet on juiceshop
<?xml version="1.0"?>
<testsuite tests="7" timestamp="2020-03-03T12:15:46.006Z" failures="7">
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: Verification Bypass
ID: aa34c86b-8889-40c0-9acb-460005f07ea3
Description: There is a vulnerability in this module when the verification part is expecting a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
The issue is because this library has the very same signature to verify both type of tokens (parameter: `secretOrPublicKey`).
This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/aa34c86b-8889-40c0-9acb-460005f07ea3
</failure>
</testcase>
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: Forgeable Public/Private Tokens
ID: ffe29273-9f73-47ff-9a34-13c089c8cfb2
Description: The component 'jws' is vulnerable.
A malicious user with knowledge of the public key can forge tokens that pass verification, due to a weakness caused by allowing the attacker to specify the verification function algorithm.
[For all versions before 3.0.0.]
CVSS Score: 8.7
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/ffe29273-9f73-47ff-9a34-13c089c8cfb2
</failure>
</testcase>
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: CWE-125: Out-of-bounds Read
ID: 16789607-a66c-405b-9cb5-de5474b8bd7a
Description: The software reads data past the end, or before the beginning, of the intended buffer.
CVSS Score: 7.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/16789607-a66c-405b-9cb5-de5474b8bd7a
</failure>
</testcase>
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: [CVE-2016-4055] The duration function in the moment package before 2.11.2 for Node.js allows rem...
ID: be1d7c12-e9e6-4460-b370-2ec9921cf915
Description: The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2016-4055
Reference: https://ossindex.sonatype.org/vuln/be1d7c12-e9e6-4460-b370-2ec9921cf915
Vulnerability Title: [CVE-2017-18214] The moment module before 2.19.3 for Node.js is prone to a regular expression den...
ID: 58fdd459-8d4a-4bf6-b106-ef7cff98268c
Description: The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2017-18214
Reference: https://ossindex.sonatype.org/vuln/58fdd459-8d4a-4bf6-b106-ef7cff98268c
Vulnerability Title: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
ID: d939d5e9-46d5-4682-a6c7-756e5fea2b2b
Description: The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/d939d5e9-46d5-4682-a6c7-756e5fea2b2b
</failure>
</testcase>
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
ID: c563e34d-f54e-4d02-b464-330539cc8aca
Description: The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/c563e34d-f54e-4d02-b464-330539cc8aca
</failure>
</testcase>
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: Sanitization not applied recursively
ID: 22dfe542-af41-43c8-b2f4-361a24948fdd
Description: Sanitization is not applied recursively, leading to a vulnerability to certain masking attacks.
The issue was later resolved in a different manner:
> This issue has been resolved better through the use of the decodeEntities: true option of htmlparser2. Recursive invocation is no longer required to pass the test suite.
>
> -- [github.com](https://github.com/punkave/sanitize-html/issues/29)
CVSS Score: 0
CVSS Vector: undefined
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/22dfe542-af41-43c8-b2f4-361a24948fdd
Vulnerability Title: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ID: 1c0eccfb-8955-435a-9188-9ecc4130dd92
Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/1c0eccfb-8955-435a-9188-9ecc4130dd92
Vulnerability Title: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ID: f5f2bb79-9535-4101-89b6-dc19d01778f8
Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/f5f2bb79-9535-4101-89b6-dc19d01778f8
Vulnerability Title: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ID: d2655bca-24d7-4694-b571-a9f3376b044d
Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/d2655bca-24d7-4694-b571-a9f3376b044d
Vulnerability Title: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ID: bca50ed8-4378-47c2-90ab-331708a55c66
Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVSS Score: 6.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/bca50ed8-4378-47c2-90ab-331708a55c66
</failure>
</testcase>
<testcase classname="pkg:npm/[email protected]" name="pkg:npm/[email protected]">
<failure type="Vulnerability detected">Vulnerability Title: CWE-471: Modification of Assumed-Immutable Data (MAID)
ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Description: The software does not properly protect an assumed-immutable element from being modified by an attacker.
CVSS Score: 7.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Vulnerability Title: CWE-506: Embedded Malicious Code
ID: a86c2790-8c02-4fee-8d77-3366312f926b
Description: The application contains code that appears to be malicious in nature.
CVSS Score: 9.6
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/a86c2790-8c02-4fee-8d77-3366312f926b
Vulnerability Title: [NPMJS]Prototype Pollution
ID: 78a61524-80c5-4371-b6d1-6b32af349043
Description: The component 'Lodash' is vulnerable.
null
[For all versions before 4.17.11.]
CVSS Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/78a61524-80c5-4371-b6d1-6b32af349043
</failure>
</testcase>
</testsuite>
json output for the same:
[
{
"coordinates": "pkg:npm/[email protected]",
"description": "JSON Web Token implementation (symmetric and asymmetric)",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "aa34c86b-8889-40c0-9acb-460005f07ea3",
"title": "Verification Bypass",
"description": "There is a vulnerability in this module when the verification part is expecting a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).\n\nThe issue is because this library has the very same signature to verify both type of tokens (parameter: `secretOrPublicKey`).\n\nThis change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"reference": "https://ossindex.sonatype.org/vuln/aa34c86b-8889-40c0-9acb-460005f07ea3"
}
]
},
{
"coordinates": "pkg:npm/[email protected]",
"description": "Implementation of JSON Web Signatures",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "ffe29273-9f73-47ff-9a34-13c089c8cfb2",
"title": "Forgeable Public/Private Tokens",
"description": "The component 'jws' is vulnerable.\n\nA malicious user with knowledge of the public key can forge tokens that pass verification, due to a weakness caused by allowing the attacker to specify the verification function algorithm.\n\n[For all versions before 3.0.0.]",
"cvssScore": 8.7,
"cvssVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"reference": "https://ossindex.sonatype.org/vuln/ffe29273-9f73-47ff-9a34-13c089c8cfb2"
}
]
},
{
"coordinates": "pkg:npm/[email protected]",
"description": "For encoding to/from base64urls",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "16789607-a66c-405b-9cb5-de5474b8bd7a",
"title": "CWE-125: Out-of-bounds Read",
"description": "The software reads data past the end, or before the beginning, of the intended buffer.",
"cvssScore": 7.4,
"cvssVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"reference": "https://ossindex.sonatype.org/vuln/16789607-a66c-405b-9cb5-de5474b8bd7a"
}
]
},
{
"coordinates": "pkg:npm/[email protected]",
"description": "Parse, validate, manipulate, and display dates",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "be1d7c12-e9e6-4460-b370-2ec9921cf915",
"title": "[CVE-2016-4055] The duration function in the moment package before 2.11.2 for Node.js allows rem...",
"description": "The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a \"regular expression Denial of Service (ReDoS).\"",
"cvssScore": 6.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"cve": "CVE-2016-4055",
"reference": "https://ossindex.sonatype.org/vuln/be1d7c12-e9e6-4460-b370-2ec9921cf915"
},
{
"id": "58fdd459-8d4a-4bf6-b106-ef7cff98268c",
"title": "[CVE-2017-18214] The moment module before 2.19.3 for Node.js is prone to a regular expression den...",
"description": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cve": "CVE-2017-18214",
"reference": "https://ossindex.sonatype.org/vuln/58fdd459-8d4a-4bf6-b106-ef7cff98268c"
},
{
"id": "d939d5e9-46d5-4682-a6c7-756e5fea2b2b",
"title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
"description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"reference": "https://ossindex.sonatype.org/vuln/d939d5e9-46d5-4682-a6c7-756e5fea2b2b"
}
]
},
{
"coordinates": "pkg:npm/[email protected]",
"description": "MarsDB is a lightweight client-side MongoDB-like database, Promise based, written in ES6",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "c563e34d-f54e-4d02-b464-330539cc8aca",
"title": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')",
"description": "The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.",
"cvssScore": 9.8,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"reference": "https://ossindex.sonatype.org/vuln/c563e34d-f54e-4d02-b464-330539cc8aca"
}
]
},
{
"coordinates": "pkg:npm/[email protected]",
"description": "Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "22dfe542-af41-43c8-b2f4-361a24948fdd",
"title": "Sanitization not applied recursively",
"description": "Sanitization is not applied recursively, leading to a vulnerability to certain masking attacks.\n\nThe issue was later resolved in a different manner:\n\n> This issue has been resolved better through the use of the decodeEntities: true option of htmlparser2. Recursive invocation is no longer required to pass the test suite.\n> \n> -- [github.com](https://github.com/punkave/sanitize-html/issues/29)",
"cvssScore": 0,
"reference": "https://ossindex.sonatype.org/vuln/22dfe542-af41-43c8-b2f4-361a24948fdd"
},
{
"id": "1c0eccfb-8955-435a-9188-9ecc4130dd92",
"title": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"cvssScore": 5.4,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"reference": "https://ossindex.sonatype.org/vuln/1c0eccfb-8955-435a-9188-9ecc4130dd92"
},
{
"id": "f5f2bb79-9535-4101-89b6-dc19d01778f8",
"title": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"cvssScore": 6.1,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"reference": "https://ossindex.sonatype.org/vuln/f5f2bb79-9535-4101-89b6-dc19d01778f8"
},
{
"id": "d2655bca-24d7-4694-b571-a9f3376b044d",
"title": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"cvssScore": 6.1,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"reference": "https://ossindex.sonatype.org/vuln/d2655bca-24d7-4694-b571-a9f3376b044d"
},
{
"id": "bca50ed8-4378-47c2-90ab-331708a55c66",
"title": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"cvssScore": 6.1,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"reference": "https://ossindex.sonatype.org/vuln/bca50ed8-4378-47c2-90ab-331708a55c66"
}
]
},
{
"coordinates": "pkg:npm/[email protected]",
"description": "The modern build of lodash modular utilities.",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/[email protected]",
"vulnerabilities": [
{
"id": "0f23ff35-235f-404f-8118-bc1580673fd0",
"title": "CWE-471: Modification of Assumed-Immutable Data (MAID)",
"description": "The software does not properly protect an assumed-immutable element from being modified by an attacker.",
"cvssScore": 7.4,
"cvssVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"reference": "https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0"
},
{
"id": "a86c2790-8c02-4fee-8d77-3366312f926b",
"title": "CWE-506: Embedded Malicious Code",
"description": "The application contains code that appears to be malicious in nature.",
"cvssScore": 9.6,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"reference": "https://ossindex.sonatype.org/vuln/a86c2790-8c02-4fee-8d77-3366312f926b"
},
{
"id": "78a61524-80c5-4371-b6d1-6b32af349043",
"title": "[NPMJS]Prototype Pollution",
"description": "The component 'Lodash' is vulnerable.\n\nnull\n\n[For all versions before 4.17.11.]",
"cvssScore": 8.8,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"reference": "https://ossindex.sonatype.org/vuln/78a61524-80c5-4371-b6d1-6b32af349043"
}
]
}
]
Validated both the xml and the json and they're good, and this cleans up a lot of code. good to go from me
DarthHater
pushed a commit
that referenced
this pull request
Mar 3, 2020
## [4.0.9](v4.0.8...v4.0.9) (2020-03-03) ### Bug Fixes * move to formatters ([#180](#180)) ([fa59842](fa59842))
|
🎉 This PR is included in version 4.0.9 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Basically, we output things a lot of different ways, why not abstract the formatters?
This pull request makes the following changes:
FormatterinterfaceFormatterimplementations, JSON, XML, TextThis doesn't IMMEDIATELY solve the linked issue, but will once finished, as it abstracts the "quiet" away from the "json", etc...
It relates to the following issue #s:
cc @bhamail / @DarthHater / @allenhsieh / @ken-duck