Skip to content
This repository has been archived by the owner on Jun 1, 2022. It is now read-only.

Security Vulnerabilities (node-forge + normalize-url) #56

Open
CONeal opened this issue Dec 16, 2021 · 5 comments
Open

Security Vulnerabilities (node-forge + normalize-url) #56

CONeal opened this issue Dec 16, 2021 · 5 comments

Comments

@CONeal
Copy link

CONeal commented Dec 16, 2021

Hi Guys,

regarding to a WhiteSource Report, there are still two security vulnerabilities open in the 1.5.0 version of Brigadier. Both as a dependency of @kubernetes/[email protected].

`-- @brigadecore/[email protected]
  `-- @kubernetes/[email protected]
    `-- [email protected]
      +-- [email protected]
      | `-- [email protected]
      |   `-- [email protected]
      `-- [email protected]
        `-- [email protected]

image
@krancour
Copy link
Contributor

krancour commented Dec 16, 2021
edited
Loading

@CONeal thanks for the heads up, but I'm confused. Examining yarn list list or even directly examining the yarn.lock file, I cannot see that either of these packages are being used.

Is it possible you can provide more detail on how you're finding this information? Obviously, we'd like to act on it if there is a real issue.

@CONeal
Copy link
Author

CONeal commented Dec 17, 2021

@krancour I can see this informationen, when I build up the dependency tree from our project. We are using npm and filtering the list with npm list normalize-url node-forge displays the tree above.

The WhiteSource report itself will be created within an Azure Pipeline using a specific task.

@krancour
Copy link
Contributor

I have tried all of the following and am not able to see any indications that the vulnerable packages you have referenced are dependencies of brigadier:

$ git clone [email protected]:brigadecore/brigadier.git
$ cd brigadier
$ yarn list | grep normalize-url
$ yarn list | grep node-forge
$ grep normalize-url yarn.lock
$ grep node-forge yarn.lock

Since it appears that you are using npm and not yarn, I also tried the following and still could not reproduce your results:

$ npm install # to generare package-lock.json
$ npm list normalize-url
$ npm list node-forge
$ grep normalize-url package-lock.json
$ grep node-forge package-lock.json

If you can send me exact steps to reproduce your results, I would be happy to try them.

@CONeal
Copy link
Author

CONeal commented Dec 21, 2021
edited
Loading

Starting a new project from scratch will produce the same dependency tree. It seems that these dependencies are only required when using brigadier in another project.

$ npm init # init new project, all settings on default
$ npm install @brigadecore/[email protected]
$ npm list normalize-url
$ npm list node-forge

I don't know if this might also affect the dependencies, but currently I'm using npm version 6.14.15.

@krancour
Copy link
Contributor

Following those instructions, I can finally reproduce your results, even using the latest npm or yarn.

This is perplexing to me. I do not understand why additional dependencies are getting pulled in in this scenario.

I will investigate this further after the holidays.

Thank you so much for bringing this to our attention and providing the steps to reproduce!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krancour @CONeal