Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check vulnerabilities raised for SonarJS 9.13 #4598

Closed
ilia-kebets-sonarsource opened this issue Mar 15, 2024 · 3 comments
Closed

Check vulnerabilities raised for SonarJS 9.13 #4598

ilia-kebets-sonarsource opened this issue Mar 15, 2024 · 3 comments
Labels
hardening must-have
Milestone
9.13.1

Comments

@ilia-kebets-sonarsource
Copy link
Contributor

ilia-kebets-sonarsource commented Mar 15, 2024
edited
Loading

Mend raised some issues for SonarJS 9.13, we should check if we are affected by these vulnerabilities:

  • if yes, address them.
  • otherwise, ignore them
@ilia-kebets-sonarsource ilia-kebets-sonarsource added this to the 10.13 milestone Mar 18, 2024
@ericmorand-sonarsource ericmorand-sonarsource modified the milestones: 10.13, 9.13.1 Mar 21, 2024
Closed
@ericmorand-sonarsource
Copy link
Contributor

ericmorand-sonarsource commented Mar 22, 2024
edited by Wohops
Loading

Investigation results (WIP)

yaml

The [email protected] parser may throw an uncaught exception, but the error is ultimately caught and handled gracefully by one of the Express middlewares of the bridge.

09:54:04.369 DEBUG: 'src/issue-4598/index.yaml' generated metadata with charset 'UTF-8'
09:54:04.372 INFO: 1 source file to be analyzed
09:54:04.401 ERROR: Unable to parse file: file:///home/eric.morand/Projects/verify/src/issue-4598/index.yaml. Parse error at position 82:0
09:54:04.401 ERROR: Cannot parse 'src/issue-4598/index.yaml': while parsing a flow sequence
 in reader, line 80, column 1:
    [
    ^
expected ',' or ']', but got :
 in reader, line 82, column 10:
    Resources:
             ^

semver < 7.5.2

semver < 7.5.2 is used by multiple packages that SonarJS depends on at runtime:

vue-eslint-parser

[email protected] is not fed with user data, rendering SonarJS immune to the vulnerability.

stylelint

[email protected] and [email protected] are both used by the meow package that fuels the CLI of Stylelint. SonarJS doesn't execute the CLI of Stylelint, rendering it immune to the vulnerability.

eslint-plugin-react

eslint-plugin-react feeds the [email protected] library with user data - namely from the settings.react.version value set in .eslintrc - rendering it vulnerable to CVE-2022-25883, through the public method testReactVersion.

The following eslint-plugin-react's ruless execute the aforementioned testReactVersion:

  • prefer-stateless-function
  • display-name
  • jsx-fragments
  • no-deprecated
  • no-render-return-value
  • no-unknown-property
  • no-unsafe
  • no-will-update-set-state

However, none of these rules is actually available in SonarJS, so SonarJS is not impacted by the vulnerability.

@typescript-eslint/parser

@typescript-eslint/parser feeds [email protected] indirectly (through @typescript-eslint/typescript-estree) with non user-provided data rendering SonarJS immune to the vulnerability:

  • data from TypeScript version
@typescript-eslint/eslint-plugin

@typescript-eslint/eslint-plugin feeds [email protected] with non user-provided data rendering SonarJS immune to the vulnerability:

  • data from TypeScript version
  • data from ESLint package manifest
@babel/preset-env

@babel/preset-end feeds [email protected] with non user-provided data rendering SonarJS immune to the vulnerability.

@babel/eslint-parser

@babel/eslint-parser feeds [email protected] with non user-provided data rendering SonarJS immune to the vulnerability.

@babel/core

SonarJS declares that it depends on @babel/core but doesn't make direct use of it.

word-wrap-1.2.3.tgz

There is no dependency on the word-wrap package. However, there is one dependency on the @aashutoshrathi/word-wrap package which was created to fix the vulnerability:

Why this fork?

word-wrap had a high rank vulnerability (CVE-2023-26115) which is now fixed in jonschlinkert/word-wrap#33 and now the main package can be used too. It was taking time to merge that PR so, some projects shifted to this fork of the project.

https://github.com/aashutoshrathi/word-wrap

Mend doesn't seem to take npm scopes into account and thus wrongly assumes that SonarJS depends on [email protected], while it depends on @aashutoshrathi/[email protected].

postcss < 8.4.31

SonarJS doesn't use postcss to actually emit a post-processed CSS code, so it is immune to the vulnerability.

@babel/traverse < 7.23.2 | 8.0.0-alpha.4

SonarJS doesn't use @bable/traverse to actually compile JS code, so it is immune to the vulnerability.

commons-compress < 1.26

SonarJS makes use of the commons-compress package only on controlled input (only at build time to compress node-js runtime), hence it is immune to the vulnerability.

@ericmorand-sonarsource
Copy link
Contributor

@saberduck can you please review my investigation?

@saberduck
Copy link
Contributor

LGTM! Great job!

@ericmorand-sonarsource ericmorand-sonarsource removed their assignment Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hardening must-have
Projects
None yet
Milestone
9.13.1
Development

Successfully merging a pull request may close this issue.

Resolve issue #4598 - Check vulnerabilities raised for SonarJS 9.13 ericmorand-sonarsource/SonarJS
3 participants
@saberduck @ilia-kebets-sonarsource @ericmorand-sonarsource