Skip to content
This repository has been archived by the owner on Aug 4, 2023. It is now read-only.

Audit failure due to a vulnerability in semver #201

Closed
sefiros1 opened this issue Jun 26, 2023 · 1 comment
Closed

Audit failure due to a vulnerability in semver #201

sefiros1 opened this issue Jun 26, 2023 · 1 comment
Labels
agent-nodejs Make available for APM Agents project planning.

Comments

@sefiros1
Copy link

Library semver <7.5.2 has a vulnerability:
GHSA-c2qf-rxjj-qqgw

Script npm audit fail due error:

                       === npm audit security report ===                        
                                                                                
# Run  npm install semver@7.5.3  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm install --save-dev nyc@15.1.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > test-exclude > read-pkg-up > read-pkg >                │
│               │ normalize-package-data > semver                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm install --save-dev standard@17.1.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint > cross-spawn > semver                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-lib-instrument > semver                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > make-dir > semver                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > caching-transform > make-dir > semver                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-c2qf-rxjj-qqgw            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 moderate severity vulnerabilities in 365 scanned packages
  3 vulnerabilities require semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.
@github-actions github-actions bot added the agent-nodejs Make available for APM Agents project planning. label Jun 26, 2023
@sefiros1 sefiros1 changed the title Audit failing due semver vulnerability Audit failure due to a vulnerability in semver Jun 26, 2023
@trentm
Copy link
Member

trentm commented Jun 26, 2023

@sefiros1 Thanks for opening the issue.

semver@6 is used in this module elastic-apm-http-client and in elastic-apm-node (the module for this this repo exists):

elastic-apm-node@3.47.0 /Users/trentm/el/apm-agent-nodejs
├─┬ elastic-apm-http-client@11.4.0
│ └── semver@6.3.0 deduped
└── semver@6.3.0

The vuln is a ReDoS vuln when untrusted input is given to semver.Range, also indirectly used by semver.satisfies(ver, range). The latter is used in many places in this code. However, in none of them is untrusted input given to the "range" argument. I suppose one arguable usage is this:

lib/opentelemetry-metrics/index.js
18:const isOTelMetricsFeatSupported = semver.satisfies(process.version, _supportRange)

However, that _supportsRange is from "node_modules/@opentelemetry/sdk-metrics/package.json". If that has been compromised in the install of this package, then the security game is up already. In conclusion: I don't think this package is affected by this vulnerability in semver.


Normally, one would just update to a fixed version of semver and move on. However, there isn't one that we can use. Currently per npm/node-semver#564 (comment) there is only a released fix for semver@7 and no current plans to backport.

We cannot use semver@7 because it's minimum supported Node.js version is v10. This package, elastic-apm-node@3, currently supports back to Node.js v8.6. (Note that we are currently planning a v4 major version bump that will drop support for Node.js v8. For that version we will upgrade our semver dependency.


I realize that this means we will fail npm audit until elastic-apm-node@4 is released (there is no current release date plan for that). Hopefully that is not too disruptive for users.

@trentm trentm closed this as completed Jun 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
agent-nodejs Make available for APM Agents project planning.
Projects
None yet
Development

No branches or pull requests

2 participants