Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rush] CVE-2024-21534 (jsonpath-plus) is still unresolved #5034

Closed
npetruzzelli opened this issue Dec 6, 2024 · 1 comment · Fixed by #5036
Closed

[rush] CVE-2024-21534 (jsonpath-plus) is still unresolved #5034

npetruzzelli opened this issue Dec 6, 2024 · 1 comment · Fixed by #5036

Comments

@npetruzzelli
Copy link

Summary

#4966 and #4981 attempted to resolve this.

But the problem is still reported by security scans.

Repro steps

  1. Create a new repository
  2. npm install @microsoft/rush@5.141.0
  3. Run a security scan

Expected result:
No Vulnerabilities

Actual result:
Vulnerabilities related to jsonpath-plus (CVE-2024-21534) and ansi-align@3.0.1 (CVE-2022-38900)

The ansi-align issue isn't clear. I don't yet know if it is related to the dependency on string-width, which is by the same author as those indicated in the CVE. It also looks like ansi-align hasn't been updated in 3 years.

Details

GitHub's own advisory is out of date, marking this as resolved by version 10.0.7
GHSA-pppg-cpfq-h7wr

If you follow the link to NVD, you can see that the reporter (Snyk) still considers 10.1.0 as vulnerable.
https://nvd.nist.gov/vuln/detail/CVE-2024-21534

It references an issue that declares 10.2.0 as safe.
JSONPath-Plus/JSONPath#226
https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
@microsoft/rush globally installed version? Not Applicable
rushVersion from rush.json? Not Applicable
useWorkspaces from rush.json? Not Applicable
Operating system? Windows
Would you consider contributing a PR? Yes / if time allows
Node.js version (node -v)? Not Applicable
@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Dec 6, 2024
@iclanton iclanton moved this from Needs triage to Needs Investigation in Bug Triage Dec 9, 2024
@iclanton iclanton mentioned this issue Dec 9, 2024
Merged
@iclanton iclanton linked a pull request Dec 9, 2024 that will close this issue
Update jsonpath-plus #5036
Merged
@github-project-automation github-project-automation bot moved this from Needs Investigation to Closed in Bug Triage Dec 9, 2024
@npetruzzelli npetruzzelli mentioned this issue Dec 10, 2024
Closed
@npetruzzelli
Copy link
Author

I still haven't figured out what is going on with ansi-align (a downstream dependency of rush-lib). I suspect it is a false positive since the CVE is for an unrelated package. I am still waiting to find out what we hear back from our security scan vendor.

Thanks again for the quick update!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Bug Triage
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update jsonpath-plus iclanton/rushstack
1 participant
@npetruzzelli