Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Open OSS CVEs #1000

Closed
prabhu opened this issue Apr 21, 2024 · 0 comments · Fixed by #1001
Closed

[security] Open OSS CVEs #1000

prabhu opened this issue Apr 21, 2024 · 0 comments · Fixed by #1001

Comments

@prabhu
Copy link
Collaborator

prabhu commented Apr 21, 2024

CVEs from the latest scan:

CVE Package Justification
CVE-2021-21306 pkg:npm/[email protected] code_not_present
CVE-2022-21681 pkg:npm/[email protected] code_not_present
CVE-2022-21680 pkg:npm/[email protected] code_not_present
CVE-2022-33987 pkg:npm/[email protected] code_not_reachable

docsify is a dev dependency used for generating documentation. A indirect dependency called marked has 3 CVEs which can be ignored since we ignore dev dependencies.

got 14.2.1 is used by cdxgen. However, version 9.6.0 is pulled as a dependency of package-json.

npm ls [email protected]
@cyclonedx/[email protected] /Volumes/Work/CycloneDX/cdxgen
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

To reduce the false positives, we can pass --required-only to trim the optional dependencies here. We may have to think about a replacement for docsify, since it appears like the security vulnerabilities are being ignored.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Removed docsify which is not required for generating docs CycloneDX/cdxgen
1 participant
@prabhu