diff --git a/README.md b/README.md index 3661d5a..08d7f25 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Options: Install this package. ``` -npm install --save-dev gitlab-npm-audit-parser +npm install --save-dev @elpete/gitlab-npm-audit-parser ``` Add the following job to _.gitlab-ci.yml_ @@ -30,11 +30,16 @@ dependency scanning: reports: dependency_scanning: gl-dependency-scanning.json ``` +NOTE: If you use a `npm run-script` to call `npm audit` You must add the option `--silent` to `npm run` or have `.npmrc` set the NPM loglevel to silent otherwise the shell output will conflict with the stdin piping to this parser and cause an error. ## Test +```sh +$ npm test +``` + ### V1 Report `cat test/v1_report.json | ./parse.js -o report.json` ### V2 Report -`cat test/v1_report.json | ./parse.js -o report.json` +`cat test/v2_report.json | ./parse.js -o report.json` diff --git a/package-lock.json b/package-lock.json index a2b7bdb..8ffdb42 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,11 +1,12 @@ { - "name": "gitlab-npm-audit-parser", - "version": "1.0.4", + "name": "@elpete/gitlab-npm-audit-parser", + "version": "1.1.0", "lockfileVersion": 2, "requires": true, "packages": { "": { - "version": "1.0.4", + "name": "@elpete/gitlab-npm-audit-parser", + "version": "1.1.0", "license": "MIT", "dependencies": { "commander": "^2.18.0" @@ -15,16 +16,16 @@ } }, "node_modules/commander": { - "version": "2.18.0", - "resolved": "https://registry.npmjs.org/commander/-/commander-2.18.0.tgz", - "integrity": "sha512-6CYPa+JP2ftfRU2qkDK+UTVeQYosOg/2GbcjIcKPHfinyOLPVGXu/ovN86RP49Re5ndJK1N0kuiidFFuepc4ZQ==" + "version": "2.20.3", + "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", + "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==" } }, "dependencies": { "commander": { - "version": "2.18.0", - "resolved": "https://registry.npmjs.org/commander/-/commander-2.18.0.tgz", - "integrity": "sha512-6CYPa+JP2ftfRU2qkDK+UTVeQYosOg/2GbcjIcKPHfinyOLPVGXu/ovN86RP49Re5ndJK1N0kuiidFFuepc4ZQ==" + "version": "2.20.3", + "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz", + "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==" } } } diff --git a/package.json b/package.json index e490c83..8415add 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,9 @@ "test": "test" }, "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" + "test": "npm run --silent test:v1; npm run --silent test:v2;", + "test:v1": "printf 'v1: '; cat test/v1_report.json | ./parse.js -o GL-report.1.json >/dev/null && diff -q GL-report.1.json test/snapshot/GL-report.1.json && echo success!; RC=$?; rm GL-report.1.json; exit $RC", + "test:v2": "printf 'v2: '; cat test/v2_report.json | ./parse.js -o GL-report.2.json >/dev/null && diff -q GL-report.2.json test/snapshot/GL-report.2.json && echo success!; RC=$?; rm GL-report.2.json; exit $RC" }, "repository": { "type": "git", @@ -19,11 +21,16 @@ ], "author": "Maxime Gibeau", "contributors": [ - { - "name": "Eric Peterson", - "email": "eric@elpete.com", - "url": "https://github.com/elpete" - } + { + "name": "Eric Peterson", + "email": "eric@elpete.com", + "url": "https://github.com/elpete" + }, + { + "name": "codejedi365", + "email": "codejedi365@gmail.com", + "url": "https://github.com/codejedi365" + } ], "license": "MIT", "dependencies": { diff --git a/parse.js b/parse.js index 7b86471..e9b0d3d 100755 --- a/parse.js +++ b/parse.js @@ -25,7 +25,7 @@ stdin.on('end', function () { var inputJSON = chunks.join(''), outputJSON = convert(inputJSON); - fs.writeFile(filename, outputJSON, function(err) { + fs.writeFile(filename, outputJSON+'\n', function(err) { if (err) { return console.log(err); } diff --git a/test/snapshot/GL-report.1.json b/test/snapshot/GL-report.1.json new file mode 100644 index 0000000..c0f4a32 --- /dev/null +++ b/test/snapshot/GL-report.1.json @@ -0,0 +1,510 @@ +{ + "version": "1.0", + "vulnerabilities": [ + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "jsonwebtoken", + "namespace": "jsonwebtoken", + "message": "Verification Bypass", + "cve": "package.jsonjsonwebtoken:cve_id:CVE-2015-9235", + "description": "Versions 4.2.1 and earlier of `jsonwebtoken` are affected by a verification bypass vulnerability. This is a result of weak validation of the JWT algorithm type, occuring when an attacker is allowed to arbitrarily specify the JWT algorithm.\n\n", + "severity": "Critical", + "fixedby": "Tim McLean", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "jsonwebtoken" + }, + "version": "<4.2.2" + } + }, + "identifiers": [ + { + "type": "cve_id", + "name": "CVE-2015-9235", + "value": "CVE-2015-9235", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9235" + }, + { + "type": "cwe_id", + "name": "CWE-287", + "value": "CWE-287", + "url": "https://cwe.mitre.org/data/definitions/287.html" + } + ], + "solution": "Update to version 4.2.2 or later.", + "instances": [ + { + "method": "express-jwt>jsonwebtoken" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/17" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "moment", + "namespace": "moment", + "message": "Regular Expression Denial of Service", + "cve": "package.jsonmoment:cve_id:CVE-2016-4055", + "description": "Versions of `moment` prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into `moment.duration()`.\n\n\n## Proof of concept\n```\nvar moment = require('moment');\n\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\n\nfor (i=20000;i<=10000000;i=i+10000) {\n console.log(\"COUNT: \" + i);\n var str = '-' + genstr(i, '1')\n console.log(\"LENGTH: \" + str.length);\n var start = process.hrtime();\n moment.duration(str)\n\n var end = process.hrtime(start);\n console.log(end);\n}\n```\n\n### Results\n```\n$ node moment.js\nCOUNT: 20000\nLENGTH: 20002\n[ 0, 618931029 ]\nCOUNT: 30001\nLENGTH: 30003\n[ 1, 401413894 ]\nCOUNT: 40002\nLENGTH: 40004\n[ 2, 437075303 ]\nCOUNT: 50003\nLENGTH: 50005\n[ 3, 824664804 ]\nCOUNT: 60004\nLENGTH: 60006\n[ 5, 651335262 ]\n```", + "severity": "Moderate", + "fixedby": "Adam Baldwin", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "moment" + }, + "version": "<2.11.2" + } + }, + "identifiers": [ + { + "type": "cve_id", + "name": "CVE-2016-4055", + "value": "CVE-2016-4055", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4055" + }, + { + "type": "cwe_id", + "name": "CWE-400", + "value": "CWE-400", + "url": "https://cwe.mitre.org/data/definitions/400.html" + } + ], + "solution": "Please update to version 2.11.2 or later. ", + "instances": [ + { + "method": "express-jwt>jsonwebtoken>moment" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/55" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "jws", + "namespace": "jws", + "message": "Forgeable Public/Private Tokens", + "cve": "package.jsonjws:cve_id:CVE-2016-1000223", + "description": "Affected versions of the `jws` package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.\n\n", + "severity": "High", + "fixedby": "Brian Brennan and Tim McLean", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "jws" + }, + "version": "<3.0.0" + } + }, + "identifiers": [ + { + "type": "cve_id", + "name": "CVE-2016-1000223", + "value": "CVE-2016-1000223", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223" + }, + { + "type": "cwe_id", + "name": "CWE-310", + "value": "CWE-310", + "url": "https://cwe.mitre.org/data/definitions/310.html" + } + ], + "solution": "Update to version 3.0.0 or later.", + "instances": [ + { + "method": "express-jwt>jsonwebtoken>jws" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/88" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "sanitize-html", + "namespace": "sanitize-html", + "message": "Cross-Site Scripting", + "cve": "package.jsonsanitize-html:cve_id:CVE-2016-1000237", + "description": "Affected versions of `sanitize-html` do not sanitize input recursively, which may allow an attacker to execute arbitrary Javascript.", + "severity": "Moderate", + "fixedby": "Björn Kimminich", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "sanitize-html" + }, + "version": "<=1.4.2" + } + }, + "identifiers": [ + { + "type": "cve_id", + "name": "CVE-2016-1000237", + "value": "CVE-2016-1000237", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000237" + }, + { + "type": "cwe_id", + "name": "CWE-79", + "value": "CWE-79", + "url": "https://cwe.mitre.org/data/definitions/79.html" + } + ], + "solution": "Update to version 1.4.3 or later.", + "instances": [ + { + "method": "sanitize-html" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/135" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "sanitize-html", + "namespace": "sanitize-html", + "message": "Cross Site Scripting", + "cve": "package.jsonsanitize-html:cve_id:CVE-2017-16016", + "description": "Affected versions of `sanitize-html` are vulnerable to cross-site scripting when allowedTags includes at least one `nonTextTag`.\n\n## Proof of Concept\n\n```\nvar sanitizeHtml = require('sanitize-html');\n\nvar dirty = '!!';\nvar clean = sanitizeHtml(dirty, {\n allowedTags: [ 'textarea' ]\n});\n\nconsole.log(clean);\n\n// !!\n```", + "severity": "Moderate", + "fixedby": "Andrew Krasichkov", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "sanitize-html" + }, + "version": "<=1.11.1" + } + }, + "identifiers": [ + { + "type": "cve_id", + "name": "CVE-2017-16016", + "value": "CVE-2017-16016", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16016" + }, + { + "type": "cwe_id", + "name": "CWE-725", + "value": "CWE-725", + "url": "https://cwe.mitre.org/data/definitions/725.html" + } + ], + "solution": "Update to version 1.11.4 or later.", + "instances": [ + { + "method": "sanitize-html" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/154" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "moment", + "namespace": "moment", + "message": "Regular Expression Denial of Service", + "cve": "package.jsonmoment:cve_id:undefined", + "description": "Affected versions of `moment` are vulnerable to a low severity regular expression denial of service when parsing dates as strings.", + "severity": "Low", + "fixedby": "Cristian-Alexandru Staicu", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "moment" + }, + "version": "<2.19.3" + } + }, + "identifiers": [ + { + "type": "cve_id", + "url": "https://nvd.nist.gov/vuln/detail/undefined" + }, + { + "type": "cwe_id", + "name": "CWE-400", + "value": "CWE-400", + "url": "https://cwe.mitre.org/data/definitions/400.html" + } + ], + "solution": "Update to version 2.19.3 or later.", + "instances": [ + { + "method": "express-jwt>jsonwebtoken>moment" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/532" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "hoek", + "namespace": "hoek", + "message": "Prototype pollution", + "cve": "package.jsonhoek:cve_id:undefined", + "description": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.", + "severity": "Moderate", + "fixedby": "HoLyVieR", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "hoek" + }, + "version": "<= 4.2.0 || >= 5.0.0 < 5.0.3" + } + }, + "identifiers": [ + { + "type": "cve_id", + "url": "https://nvd.nist.gov/vuln/detail/undefined" + }, + { + "type": "cwe_id", + "name": "CWE-471", + "value": "CWE-471", + "url": "https://cwe.mitre.org/data/definitions/471.html" + } + ], + "solution": "Update to version 4.2.1, 5.0.3 or later.", + "instances": [ + { + "method": "codeclimate-test-reporter>request>hawk>boom>hoek" + }, + { + "method": "codeclimate-test-reporter>request>hawk>cryptiles>boom>hoek" + }, + { + "method": "codeclimate-test-reporter>request>hawk>hoek" + }, + { + "method": "codeclimate-test-reporter>request>hawk>sntp>hoek" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/566" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "lodash", + "namespace": "lodash", + "message": "Prototype Pollution", + "cve": "package.jsonlodash:cve_id:CVE-2018-3721", + "description": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n", + "severity": "Low", + "fixedby": "Olivier Arteau (HoLyVieR)", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "lodash" + }, + "version": "<4.17.5" + } + }, + "identifiers": [ + { + "type": "cve_id", + "name": "CVE-2018-3721", + "value": "CVE-2018-3721", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721" + }, + { + "type": "cwe_id", + "name": "CWE-471", + "value": "CWE-471", + "url": "https://cwe.mitre.org/data/definitions/471.html" + } + ], + "solution": "Update to version 4.17.5 or later.", + "instances": [ + { + "method": "sanitize-html>lodash" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/577" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "tunnel-agent", + "namespace": "tunnel-agent", + "message": "Memory Exposure", + "cve": "package.jsontunnel-agent:cve_id:undefined", + "description": "Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n method: 'GET',\n uri: 'http://www.example.com',\n tunnel: true,\n proxy:{\n protocol: 'http:',\n host:'127.0.0.1',\n port:8080,\n auth:USERSUPPLIEDINPUT // number\n }\n});\n```", + "severity": "Moderate", + "fixedby": "Сковорода Никита Андреевич", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "tunnel-agent" + }, + "version": "<0.6.0" + } + }, + "identifiers": [ + { + "type": "cve_id", + "url": "https://nvd.nist.gov/vuln/detail/undefined" + }, + { + "type": "cwe_id", + "name": "CWE-20", + "value": "CWE-20", + "url": "https://cwe.mitre.org/data/definitions/20.html" + } + ], + "solution": "Update to version 0.6.0 or later.", + "instances": [ + { + "method": "codeclimate-test-reporter>request>tunnel-agent" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/598" + } + ] + }, + { + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "base64url", + "namespace": "base64url", + "message": "Out-of-bounds Read", + "cve": "package.jsonbase64url:cve_id:undefined", + "description": "Versions of `base64url` before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.", + "severity": "Moderate", + "fixedby": "Сковорода Никита Андреевич", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package.json", + "dependency": { + "package": { + "name": "base64url" + }, + "version": "<3.0.0" + } + }, + "identifiers": [ + { + "type": "cve_id", + "url": "https://nvd.nist.gov/vuln/detail/undefined" + }, + { + "type": "cwe_id", + "name": "CWE-125", + "value": "CWE-125", + "url": "https://cwe.mitre.org/data/definitions/125.html" + } + ], + "solution": "Update to version 3.0.0 or later.", + "instances": [ + { + "method": "express-jwt>jsonwebtoken>jws>base64url" + }, + { + "method": "express-jwt>jsonwebtoken>jws>jwa>base64url" + } + ], + "links": [ + { + "url": "https://npmjs.com/advisories/658" + } + ] + } + ], + "remediations": [] +} diff --git a/test/snapshot/GL-report.2.json b/test/snapshot/GL-report.2.json new file mode 100644 index 0000000..50f5ed5 --- /dev/null +++ b/test/snapshot/GL-report.2.json @@ -0,0 +1,411 @@ +{ + "version": "2.0", + "vulnerabilities": [ + { + "id": "NPM Audit: axios cve_id: 1594", + "cve": "NPM Audit: axios cve_id: 1594", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "axios", + "message": "Server-Side Request Forgery", + "description": "Server-Side Request Forgery", + "severity": "High", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "axios" + }, + "version": "<0.21.1" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Server-Side Request Forgery", + "value": 1594, + "url": "https://npmjs.com/advisories/1594" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/1594" + } + ] + }, + { + "id": "NPM Audit: braces cve_id: 786", + "cve": "NPM Audit: braces cve_id: 786", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "braces", + "message": "Regular Expression Denial of Service", + "description": "Regular Expression Denial of Service", + "severity": "Low", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "braces" + }, + "version": "<2.3.1" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Regular Expression Denial of Service", + "value": 786, + "url": "https://npmjs.com/advisories/786" + } + ], + "solution": "Upgrade jest to version >=26.6.3", + "links": [ + { + "url": "https://npmjs.com/advisories/786" + } + ] + }, + { + "id": "NPM Audit: elliptic cve_id: 1648", + "cve": "NPM Audit: elliptic cve_id: 1648", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "elliptic", + "message": "Use of a Broken or Risky Cryptographic Algorithm", + "description": "Use of a Broken or Risky Cryptographic Algorithm", + "severity": "Moderate", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "elliptic" + }, + "version": "<6.5.4" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Use of a Broken or Risky Cryptographic Algorithm", + "value": 1648, + "url": "https://npmjs.com/advisories/1648" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/1648" + } + ] + }, + { + "id": "NPM Audit: gsap cve_id: 1608", + "cve": "NPM Audit: gsap cve_id: 1608", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "gsap", + "message": "Prototype Pollution", + "description": "Prototype Pollution", + "severity": "High", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "gsap" + }, + "version": "<3.6.0" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Prototype Pollution", + "value": 1608, + "url": "https://npmjs.com/advisories/1608" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/1608" + } + ] + }, + { + "id": "NPM Audit: ini cve_id: 1589", + "cve": "NPM Audit: ini cve_id: 1589", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "ini", + "message": "Prototype Pollution", + "description": "Prototype Pollution", + "severity": "Low", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "ini" + }, + "version": "<1.3.6" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Prototype Pollution", + "value": 1589, + "url": "https://npmjs.com/advisories/1589" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/1589" + } + ] + }, + { + "id": "NPM Audit: merge cve_id: 1666", + "cve": "NPM Audit: merge cve_id: 1666", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "merge", + "message": "Prototype Pollution", + "description": "Prototype Pollution", + "severity": "High", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "merge" + }, + "version": "<2.1.1" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Prototype Pollution", + "value": 1666, + "url": "https://npmjs.com/advisories/1666" + } + ], + "solution": "Upgrade jest to version >=26.6.3", + "links": [ + { + "url": "https://npmjs.com/advisories/1666" + } + ] + }, + { + "id": "NPM Audit: npm-user-validate cve_id: 1572", + "cve": "NPM Audit: npm-user-validate cve_id: 1572", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "npm-user-validate", + "message": "Regular Expression Denial of Service", + "description": "Regular Expression Denial of Service", + "severity": "Low", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "npm-user-validate" + }, + "version": "< 1.0.1" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Regular Expression Denial of Service", + "value": 1572, + "url": "https://npmjs.com/advisories/1572" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/1572" + } + ] + }, + { + "id": "NPM Audit: ssri cve_id: 565", + "cve": "NPM Audit: ssri cve_id: 565", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "ssri", + "message": "Regular Expression Denial of Service", + "description": "Regular Expression Denial of Service", + "severity": "Moderate", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "ssri" + }, + "version": ">=5.2.2 <6.0.2 || >=7.0.0 <8.0.1" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Regular Expression Denial of Service", + "value": 565, + "url": "https://npmjs.com/advisories/565" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/565" + } + ] + }, + { + "id": "NPM Audit: y18n cve_id: 1654", + "cve": "NPM Audit: y18n cve_id: 1654", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "y18n", + "message": "Prototype Pollution", + "description": "Prototype Pollution", + "severity": "High", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "y18n" + }, + "version": "<3.2.2||=4.0.0||>=5.0.0 <5.0.5" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Prototype Pollution", + "value": 1654, + "url": "https://npmjs.com/advisories/1654" + } + ], + "solution": null, + "links": [ + { + "url": "https://npmjs.com/advisories/1654" + } + ] + }, + { + "id": "NPM Audit: yargs-parser cve_id: 1500", + "cve": "NPM Audit: yargs-parser cve_id: 1500", + "tool": "npm_audit", + "category": "dependency_scanning", + "name": "yargs-parser", + "message": "Prototype Pollution", + "description": "Prototype Pollution", + "severity": "Low", + "confidence": "High", + "scanner": { + "id": "npm_audit_advisories", + "name": "NPM Audit" + }, + "location": { + "file": "package-lock.json", + "dependency": { + "package": { + "name": "yargs-parser" + }, + "version": "<13.1.2 || >=14.0.0 <15.0.1 || >=16.0.0 <18.1.2" + } + }, + "identifiers": [ + { + "type": "cve", + "name": "Prototype Pollution", + "value": 1500, + "url": "https://npmjs.com/advisories/1500" + } + ], + "solution": "Upgrade jest to version >=26.6.3", + "links": [ + { + "url": "https://npmjs.com/advisories/1500" + } + ] + } + ], + "remediations": [ + { + "fixes": [ + { + "id": "NPM Audit: braces cve_id: 786" + } + ], + "summary": "Upgrade jest to version >=26.6.3" + }, + { + "fixes": [ + { + "id": "NPM Audit: merge cve_id: 1666" + } + ], + "summary": "Upgrade jest to version >=26.6.3" + }, + { + "fixes": [ + { + "id": "NPM Audit: yargs-parser cve_id: 1500" + } + ], + "summary": "Upgrade jest to version >=26.6.3" + } + ] +}