diff --git a/dojo/tools/auditjs/parser.py b/dojo/tools/auditjs/parser.py index c3e9da0bd8d..f9aec0c9a26 100644 --- a/dojo/tools/auditjs/parser.py +++ b/dojo/tools/auditjs/parser.py @@ -2,12 +2,50 @@ import re from json.decoder import JSONDecodeError -import cvss.parser -from cvss import CVSS2, CVSS3 +# import cvss.parser +from cvss import CVSS2, CVSS3, CVSS4, CVSSError from dojo.models import Finding +# TEMPORARY: Local implementation until the upstream PR is merged & released: https://github.com/RedHatProductSecurity/cvss/pull/75 +def parse_cvss_from_text(text): + """ + Parses CVSS2, CVSS3, and CVSS4 vectors from arbitrary text and returns a list of CVSS objects. + + Parses text for substrings that look similar to CVSS vector + and feeds these matches to CVSS constructor. + + Args: + text (str): arbitrary text + + Returns: + A list of CVSS objects. + + """ + # Looks for substrings that resemble CVSS2, CVSS3, or CVSS4 vectors. + # CVSS3 and CVSS4 vectors start with a 'CVSS:x.x/' prefix and are matched by the optional non-capturing group. + # CVSS2 vectors do not include a prefix and are matched by raw vector pattern only. + # Minimum total match length is 26 characters to reduce false positives. + matches = re.compile(r"(?:CVSS:[3-4]\.\d/)?[A-Za-z:/]{26,}").findall(text) + + cvsss = set() + for match in matches: + try: + if match.startswith("CVSS:4."): + cvss = CVSS4(match) + elif match.startswith("CVSS:3."): + cvss = CVSS3(match) + else: + cvss = CVSS2(match) + + cvsss.add(cvss) + except (CVSSError, KeyError): + pass + + return list(cvsss) + + class AuditJSParser: """Parser for AuditJS Scan tool""" @@ -85,33 +123,38 @@ def get_findings(self, filename, test): if cwe_find: cwe = int(cwe_find[0][4:]) else: - msg = ( - "Missing mandatory attributes (id, title, description). Please check your report or ask " - "community." - ) + msg = "Missing mandatory attributes (id, title, description). Please check your report or ask community." raise ValueError(msg) if "cvssScore" in vulnerability: cvss_score = vulnerability["cvssScore"] if "cvssVector" in vulnerability: - cvss_vectors = cvss.parser.parse_cvss_from_text( + cvss_vectors = parse_cvss_from_text( vulnerability["cvssVector"], ) - if len(cvss_vectors) > 0 and isinstance( - cvss_vectors[0], CVSS3, - ): - # Only set finding vector if it's version 3 - cvss_vector = cvss_vectors[0].clean_vector() - severity = cvss_vectors[0].severities()[0] - elif len(cvss_vectors) > 0 and isinstance( - cvss_vectors[0], CVSS2, - ): - # Otherwise add it to description - description = ( - description - + "\nCVSS V2 Vector:" - + cvss_vectors[0].clean_vector() - ) - severity = cvss_vectors[0].severities()[0] + + if len(cvss_vectors) > 0: + vector_obj = cvss_vectors[0] + + if isinstance(vector_obj, CVSS4): + description += "\nCVSS V4 Vector:" + vector_obj.clean_vector() + severity = vector_obj.severities()[0] + + elif isinstance(vector_obj, CVSS3): + cvss_vector = vector_obj.clean_vector() + severity = vector_obj.severities()[0] + + elif isinstance(vector_obj, CVSS2): + description += "\nCVSS V2 Vector:" + vector_obj.clean_vector() + severity = vector_obj.severities()[0] + + else: + msg = "Unsupported CVSS version detected in parser." + raise ValueError(msg) + else: + # Explicitly raise an error if no CVSS vectors are found, + # to avoid 'NoneType' errors during severity processing later. + msg = "No CVSS vectors found. Please check that parse_cvss_from_text() correctly parses the provided cvssVector." + raise ValueError(msg) else: # If there is no vector, calculate severity based on # score and CVSS V3 (AuditJS does not always include diff --git a/unittests/scans/auditjs/auditjs_many_vul.json b/unittests/scans/auditjs/auditjs_many_vul.json index 02bbe173a83..27b3ff6e2d1 100644 --- a/unittests/scans/auditjs/auditjs_many_vul.json +++ b/unittests/scans/auditjs/auditjs_many_vul.json @@ -1,257 +1,282 @@ [ - { - "coordinates": "pkg:npm/express@3.0.0", - "description": "Fast, unopinionated, minimalist web framework", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/express@3.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/commander@0.6.1", - "description": "the complete solution for node.js command-line programs", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/commander@0.6.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/connect@2.6.0", - "description": "High performance middleware framework", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/connect@2.6.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "7df31426-09a2-4b5f-a0ab-acc699023c57", - "title": "[CVE-2018-3717] connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...", - "description": "connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.", - "cvssScore": 5.4, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", - "cve": "CVE-2018-3717", - "reference": "https://ossindex.sonatype.org/vulnerability/7df31426-09a2-4b5f-a0ab-acc699023c57?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - }, - { - "id": "843bf109-df0b-4ef2-8a9d-f2fa2f5ece19", - "title": "Cross-Site Scripting with connect.methodOverride()", - "description": "This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: \"Cannot [METHOD] [URL]\" (https://github.com/senchalabs/connect/blob/6db901f967036ccc3c892b4bcb5bcb59e0b0dca9/lib/proto.js#L155). Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:\n\n~ curl \"localhost:3000\" -d \"_method=\"\nCannot /\nThis is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.", - "cvssScore": 6.5, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "reference": "https://ossindex.sonatype.org/vulnerability/843bf109-df0b-4ef2-8a9d-f2fa2f5ece19?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - }, - { - "id": "07257200-4d10-45ca-a46a-14b3aa9b2673", - "title": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "description": "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.", - "cvssScore": 5.8, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", - "reference": "https://ossindex.sonatype.org/vulnerability/07257200-4d10-45ca-a46a-14b3aa9b2673?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/bytes@0.1.0", - "description": "Utility to parse a string bytes to bytes and vice-versa", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/bytes@0.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/cookie@0.0.4", - "description": "HTTP server cookie parsing and serialization", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/cookie@0.0.4?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/crc@0.2.0", - "description": "Module for calculating Cyclic Redundancy Check (CRC) for Node.js and the Browser.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/crc@0.2.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/formidable@1.0.11", - "description": "A node.js module for parsing form data, especially file uploads.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/formidable@1.0.11?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/fresh@0.1.0", - "description": "HTTP response freshness testing", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/fresh@0.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "4e1a10ea-4fa1-4e1e-9571-83362672b97e", - "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')", - "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.", - "cvssScore": 7.5, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "reference": "https://ossindex.sonatype.org/vulnerability/4e1a10ea-4fa1-4e1e-9571-83362672b97e?component-type=npm&component-name=fresh&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/pause@0.0.1", - "description": "Pause a stream's data events", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/pause@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/qs@0.5.1", - "description": "A querystring parser that supports nesting and arrays, with a depth limit", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/qs@0.5.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "e9d3e8e7-e367-42d0-b5d7-193cbd96a755", - "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')", - "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.", - "cvssScore": 7.5, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "reference": "https://ossindex.sonatype.org/vulnerability/e9d3e8e7-e367-42d0-b5d7-193cbd96a755?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - }, - { - "id": "3a3bf289-21dc-4c84-a46e-39280f80bb01", - "title": "[CVE-2014-7191] Resource Management Errors", - "description": "The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.", - "cvssScore": 5, - "cvssVector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "cve": "CVE-2014-7191", - "reference": "https://ossindex.sonatype.org/vulnerability/3a3bf289-21dc-4c84-a46e-39280f80bb01?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - }, - { - "id": "c99eedca-ca97-4170-a935-defaf176f412", - "title": "CWE-20: Improper Input Validation", - "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.", - "cvssScore": 8.2, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", - "reference": "https://ossindex.sonatype.org/vulnerability/c99eedca-ca97-4170-a935-defaf176f412?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - }, - { - "id": "3b7c9a3f-0265-4435-b43d-7dbee2d6a461", - "title": "Prototype override protection bypass", - "description": "A prototype override protection bypass is possible, which allows attackers to overwrite properties and functions. A previous solution for the problem is incomplete.", - "cvssScore": 0, - "reference": "https://ossindex.sonatype.org/vulnerability/3b7c9a3f-0265-4435-b43d-7dbee2d6a461?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/send@0.0.4", - "description": "Better streaming static file server with Range and conditional-GET support", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/send@0.0.4?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "3a5ca7f8-cd91-4681-a8b5-285ef96915f2", - "title": "CWE-200: Information Exposure", - "description": "An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.", - "cvssScore": 5.3, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "reference": "https://ossindex.sonatype.org/vulnerability/3a5ca7f8-cd91-4681-a8b5-285ef96915f2?component-type=npm&component-name=send&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/mime@1.2.6", - "description": "A comprehensive library for mime-type mapping", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/mime@1.2.6?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "0fa304f3-b464-4e44-b747-1bd5b1922e06", - "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')", - "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.", - "cvssScore": 7.5, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "reference": "https://ossindex.sonatype.org/vulnerability/0fa304f3-b464-4e44-b747-1bd5b1922e06?component-type=npm&component-name=mime&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/range-parser@0.0.4", - "description": "Range header field string parser", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/range-parser@0.0.4?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/methods@0.0.1", - "description": "HTTP methods that node supports", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/methods@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/mkdirp@0.3.3", - "description": "Recursively mkdir, like `mkdir -p`", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/mkdirp@0.3.3?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/send@0.1.0", - "description": "Better streaming static file server with Range and conditional-GET support", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/send@0.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "3a5ca7f8-cd91-4681-a8b5-285ef96915f2", - "title": "CWE-200: Information Exposure", - "description": "An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.", - "cvssScore": 5.3, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "reference": "https://ossindex.sonatype.org/vulnerability/3a5ca7f8-cd91-4681-a8b5-285ef96915f2?component-type=npm&component-name=send&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/auditjs@4.0.25", - "description": "Audit dependencies to identify known vulnerabilities and maintenance problems", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/auditjs@4.0.25?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/mysql@2.0.0", - "description": "A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/mysql@2.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "da5a3b11-c75b-48e7-9c28-1123f0a492bf", - "title": "Unverified Certificate", - "description": "> When using SSL to connect to a MySQL server, the SSL procedure implemented does not actually check if the remote server has a trusted certificate or not.\n> \n> -- [github.com](https://github.com/mysqljs/mysql/issues/816)", - "cvssScore": 0, - "reference": "https://ossindex.sonatype.org/vulnerability/da5a3b11-c75b-48e7-9c28-1123f0a492bf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - }, - { - "id": "fc92a5a0-4117-4809-89d9-ccbef6c87faf", - "title": "CWE-20: Improper Input Validation", - "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.", - "cvssScore": 8.2, - "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", - "reference": "https://ossindex.sonatype.org/vulnerability/fc92a5a0-4117-4809-89d9-ccbef6c87faf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/bignumber.js@1.0.1", - "description": "A library for arbitrary-precision decimal and non-decimal arithmetic", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/bignumber.js@1.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/readable-stream@1.1.14", - "description": "Streams3, a user-land copy of the stream library from Node.js", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/readable-stream@1.1.14?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/core-util-is@1.0.2", - "description": "The `util.is*` functions introduced in Node v0.12.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/core-util-is@1.0.2?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/isarray@0.0.1", - "description": "Array#isArray for older browsers", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/isarray@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/string_decoder@0.10.31", - "description": "The string_decoder module from Node core", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/string_decoder@0.10.31?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/require-all@0.0.3", - "description": "An easy way to require all files within a directory.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/require-all@0.0.3?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - } - ] + { + "coordinates": "pkg:npm/dompurify@2.5.7", + "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/dompurify@2.5.7?utm_source=auditjs&utm_medium=integration&utm_content=4.0.46", + "vulnerabilities": [ + { + "id": "CVE-2024-47875", + "title": "[CVE-2024-47875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was...", + "cvssScore": 6.4, + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:L", + "cve": "CVE-2024-47875", + "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2024-47875?component-type=npm&component-name=dompurify&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46" + }, + { + "id": "CVE-2025-26791", + "title": "[CVE-2025-26791] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", + "description": "DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).", + "cvssScore": 2.1, + "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", + "cve": "CVE-2025-26791", + "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2025-26791?component-type=npm&component-name=dompurify&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46" + } + ] + }, + { + "coordinates": "pkg:npm/express@3.0.0", + "description": "Fast, unopinionated, minimalist web framework", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/express@3.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/commander@0.6.1", + "description": "the complete solution for node.js command-line programs", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/commander@0.6.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/connect@2.6.0", + "description": "High performance middleware framework", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/connect@2.6.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "7df31426-09a2-4b5f-a0ab-acc699023c57", + "title": "[CVE-2018-3717] connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...", + "description": "connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.", + "cvssScore": 5.4, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", + "cve": "CVE-2018-3717", + "reference": "https://ossindex.sonatype.org/vulnerability/7df31426-09a2-4b5f-a0ab-acc699023c57?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + }, + { + "id": "843bf109-df0b-4ef2-8a9d-f2fa2f5ece19", + "title": "Cross-Site Scripting with connect.methodOverride()", + "description": "This middleware overwrite req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: \"Cannot [METHOD] [URL]\" (https://github.com/senchalabs/connect/blob/6db901f967036ccc3c892b4bcb5bcb59e0b0dca9/lib/proto.js#L155). Because this is not enough sanitized, you can force a Cross-Site Scripting in the response:\n\n~ curl \"localhost:3000\" -d \"_method=\"\nCannot /\nThis is very dangerous because in a server like ExpressJS it won't be handled with a app.all('/*', ...), so all servers using this middleware are vulnerable.", + "cvssScore": 6.5, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "reference": "https://ossindex.sonatype.org/vulnerability/843bf109-df0b-4ef2-8a9d-f2fa2f5ece19?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + }, + { + "id": "07257200-4d10-45ca-a46a-14b3aa9b2673", + "title": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", + "description": "The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.", + "cvssScore": 5.8, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", + "reference": "https://ossindex.sonatype.org/vulnerability/07257200-4d10-45ca-a46a-14b3aa9b2673?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/bytes@0.1.0", + "description": "Utility to parse a string bytes to bytes and vice-versa", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/bytes@0.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/cookie@0.0.4", + "description": "HTTP server cookie parsing and serialization", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/cookie@0.0.4?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/crc@0.2.0", + "description": "Module for calculating Cyclic Redundancy Check (CRC) for Node.js and the Browser.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/crc@0.2.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/formidable@1.0.11", + "description": "A node.js module for parsing form data, especially file uploads.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/formidable@1.0.11?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/fresh@0.1.0", + "description": "HTTP response freshness testing", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/fresh@0.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "4e1a10ea-4fa1-4e1e-9571-83362672b97e", + "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')", + "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.", + "cvssScore": 7.5, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "reference": "https://ossindex.sonatype.org/vulnerability/4e1a10ea-4fa1-4e1e-9571-83362672b97e?component-type=npm&component-name=fresh&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/pause@0.0.1", + "description": "Pause a stream's data events", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/pause@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/qs@0.5.1", + "description": "A querystring parser that supports nesting and arrays, with a depth limit", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/qs@0.5.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "e9d3e8e7-e367-42d0-b5d7-193cbd96a755", + "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')", + "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.", + "cvssScore": 7.5, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "reference": "https://ossindex.sonatype.org/vulnerability/e9d3e8e7-e367-42d0-b5d7-193cbd96a755?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + }, + { + "id": "3a3bf289-21dc-4c84-a46e-39280f80bb01", + "title": "[CVE-2014-7191] Resource Management Errors", + "description": "The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows...", + "cvssScore": 5, + "cvssVector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "cve": "CVE-2014-7191", + "reference": "https://ossindex.sonatype.org/vulnerability/3a3bf289-21dc-4c84-a46e-39280f80bb01?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + }, + { + "id": "c99eedca-ca97-4170-a935-defaf176f412", + "title": "CWE-20: Improper Input Validation", + "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.", + "cvssScore": 8.2, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "reference": "https://ossindex.sonatype.org/vulnerability/c99eedca-ca97-4170-a935-defaf176f412?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + }, + { + "id": "3b7c9a3f-0265-4435-b43d-7dbee2d6a461", + "title": "Prototype override protection bypass", + "description": "A prototype override protection bypass is possible, which allows attackers to overwrite properties and functions. A previous solution for the problem is incomplete.", + "cvssScore": 0, + "reference": "https://ossindex.sonatype.org/vulnerability/3b7c9a3f-0265-4435-b43d-7dbee2d6a461?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/send@0.0.4", + "description": "Better streaming static file server with Range and conditional-GET support", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/send@0.0.4?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "3a5ca7f8-cd91-4681-a8b5-285ef96915f2", + "title": "CWE-200: Information Exposure", + "description": "An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.", + "cvssScore": 5.3, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "reference": "https://ossindex.sonatype.org/vulnerability/3a5ca7f8-cd91-4681-a8b5-285ef96915f2?component-type=npm&component-name=send&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/mime@1.2.6", + "description": "A comprehensive library for mime-type mapping", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/mime@1.2.6?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "0fa304f3-b464-4e44-b747-1bd5b1922e06", + "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')", + "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.", + "cvssScore": 7.5, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "reference": "https://ossindex.sonatype.org/vulnerability/0fa304f3-b464-4e44-b747-1bd5b1922e06?component-type=npm&component-name=mime&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/range-parser@0.0.4", + "description": "Range header field string parser", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/range-parser@0.0.4?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/methods@0.0.1", + "description": "HTTP methods that node supports", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/methods@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/mkdirp@0.3.3", + "description": "Recursively mkdir, like `mkdir -p`", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/mkdirp@0.3.3?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/send@0.1.0", + "description": "Better streaming static file server with Range and conditional-GET support", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/send@0.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "3a5ca7f8-cd91-4681-a8b5-285ef96915f2", + "title": "CWE-200: Information Exposure", + "description": "An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.", + "cvssScore": 5.3, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "reference": "https://ossindex.sonatype.org/vulnerability/3a5ca7f8-cd91-4681-a8b5-285ef96915f2?component-type=npm&component-name=send&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/auditjs@4.0.25", + "description": "Audit dependencies to identify known vulnerabilities and maintenance problems", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/auditjs@4.0.25?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/mysql@2.0.0", + "description": "A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/mysql@2.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "da5a3b11-c75b-48e7-9c28-1123f0a492bf", + "title": "Unverified Certificate", + "description": "> When using SSL to connect to a MySQL server, the SSL procedure implemented does not actually check if the remote server has a trusted certificate or not.\n> \n> -- [github.com](https://github.com/mysqljs/mysql/issues/816)", + "cvssScore": 0, + "reference": "https://ossindex.sonatype.org/vulnerability/da5a3b11-c75b-48e7-9c28-1123f0a492bf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + }, + { + "id": "fc92a5a0-4117-4809-89d9-ccbef6c87faf", + "title": "CWE-20: Improper Input Validation", + "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.", + "cvssScore": 8.2, + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "reference": "https://ossindex.sonatype.org/vulnerability/fc92a5a0-4117-4809-89d9-ccbef6c87faf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/bignumber.js@1.0.1", + "description": "A library for arbitrary-precision decimal and non-decimal arithmetic", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/bignumber.js@1.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/readable-stream@1.1.14", + "description": "Streams3, a user-land copy of the stream library from Node.js", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/readable-stream@1.1.14?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/core-util-is@1.0.2", + "description": "The `util.is*` functions introduced in Node v0.12.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/core-util-is@1.0.2?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/isarray@0.0.1", + "description": "Array#isArray for older browsers", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/isarray@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/string_decoder@0.10.31", + "description": "The string_decoder module from Node core", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/string_decoder@0.10.31?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/require-all@0.0.3", + "description": "An easy way to require all files within a directory.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/require-all@0.0.3?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + } +] diff --git a/unittests/scans/auditjs/auditjs_one_vul.json b/unittests/scans/auditjs/auditjs_one_vul.json index 2f04f4d350b..594054461bf 100644 --- a/unittests/scans/auditjs/auditjs_one_vul.json +++ b/unittests/scans/auditjs/auditjs_one_vul.json @@ -1,65 +1,65 @@ [ - { - "coordinates": "pkg:npm/auditjs@4.0.25", - "description": "Audit dependencies to identify known vulnerabilities and maintenance problems", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/auditjs@4.0.25?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/chalk@3.0.0", - "description": "Terminal string styling done right", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/chalk@3.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/mysql@2.0.0", - "description": "A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/mysql@2.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [ - { - "id": "da5a3b11-c75b-48e7-9c28-1123f0a492bf", - "title": "Unverified Certificate", - "description": "> When using SSL to connect to a MySQL server, the SSL procedure implemented does not actually check if the remote server has a trusted certificate or not.\n> \n> -- [github.com](https://github.com/mysqljs/mysql/issues/816)", - "cvssScore": 9.6, - "cvssVector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "reference": "https://ossindex.sonatype.org/vulnerability/da5a3b11-c75b-48e7-9c28-1123f0a492bf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" - } - ] - }, - { - "coordinates": "pkg:npm/bignumber.js@1.0.1", - "description": "A library for arbitrary-precision decimal and non-decimal arithmetic", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/bignumber.js@1.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/readable-stream@1.1.14", - "description": "Streams3, a user-land copy of the stream library from Node.js", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/readable-stream@1.1.14?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/core-util-is@1.0.2", - "description": "The `util.is*` functions introduced in Node v0.12.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/core-util-is@1.0.2?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/isarray@0.0.1", - "description": "Array#isArray for older browsers", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/isarray@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/string_decoder@0.10.31", - "description": "The string_decoder module from Node core", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/string_decoder@0.10.31?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/require-all@0.0.3", - "description": "An easy way to require all files within a directory.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/require-all@0.0.3?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - } - ] + { + "coordinates": "pkg:npm/auditjs@4.0.25", + "description": "Audit dependencies to identify known vulnerabilities and maintenance problems", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/auditjs@4.0.25?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/chalk@3.0.0", + "description": "Terminal string styling done right", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/chalk@3.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/mysql@2.0.0", + "description": "A node.js driver for mysql. It is written in JavaScript, does not require compiling, and is 100% MIT licensed.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/mysql@2.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [ + { + "id": "da5a3b11-c75b-48e7-9c28-1123f0a492bf", + "title": "Unverified Certificate", + "description": "> When using SSL to connect to a MySQL server, the SSL procedure implemented does not actually check if the remote server has a trusted certificate or not.\n> \n> -- [github.com](https://github.com/mysqljs/mysql/issues/816)", + "cvssScore": 9.6, + "cvssVector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", + "reference": "https://ossindex.sonatype.org/vulnerability/da5a3b11-c75b-48e7-9c28-1123f0a492bf?component-type=npm&component-name=mysql&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25" + } + ] + }, + { + "coordinates": "pkg:npm/bignumber.js@1.0.1", + "description": "A library for arbitrary-precision decimal and non-decimal arithmetic", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/bignumber.js@1.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/readable-stream@1.1.14", + "description": "Streams3, a user-land copy of the stream library from Node.js", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/readable-stream@1.1.14?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/core-util-is@1.0.2", + "description": "The `util.is*` functions introduced in Node v0.12.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/core-util-is@1.0.2?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/isarray@0.0.1", + "description": "Array#isArray for older browsers", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/isarray@0.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/string_decoder@0.10.31", + "description": "The string_decoder module from Node core", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/string_decoder@0.10.31?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/require-all@0.0.3", + "description": "An easy way to require all files within a directory.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/require-all@0.0.3?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + } +] diff --git a/unittests/scans/auditjs/auditjs_zero_vul.json b/unittests/scans/auditjs/auditjs_zero_vul.json index 3be7849cd64..92c92413314 100644 --- a/unittests/scans/auditjs/auditjs_zero_vul.json +++ b/unittests/scans/auditjs/auditjs_zero_vul.json @@ -1,44 +1,44 @@ [ - { - "coordinates": "pkg:npm/is-fullwidth-code-point@3.0.0", - "description": "Check if the character represented by a given Unicode code point is fullwidth", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/is-fullwidth-code-point@3.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/wrap-ansi@7.0.0", - "description": "Wordwrap a string with ANSI escape codes", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/wrap-ansi@7.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/escalade@3.1.1", - "description": "A tiny (183B to 210B) and fast utility to ascend parent directories", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/escalade@3.1.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/get-caller-file@2.0.5", - "description": "[![Build Status](https://travis-ci.org/stefanpenner/get-caller-file.svg?branch=master)](https://travis-ci.org/stefanpenner/get-caller-file) [![Build status](https://ci.appveyor.com/api/projects/status/ol2q94g1932cy14a/branch/master?svg=true)](https://ci.a", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/get-caller-file@2.0.5?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/require-directory@2.1.1", - "description": "Recursively iterates over specified directory, require()'ing each file, and returning a nested hash structure containing those modules.", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/require-directory@2.1.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/y18n@5.0.8", - "description": "the bare-bones internationalization library used by yargs", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/y18n@5.0.8?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - }, - { - "coordinates": "pkg:npm/yargs-parser@20.2.7", - "description": "the mighty option parser used by yargs", - "reference": "https://ossindex.sonatype.org/component/pkg:npm/yargs-parser@20.2.7?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", - "vulnerabilities": [] - } - ] + { + "coordinates": "pkg:npm/is-fullwidth-code-point@3.0.0", + "description": "Check if the character represented by a given Unicode code point is fullwidth", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/is-fullwidth-code-point@3.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/wrap-ansi@7.0.0", + "description": "Wordwrap a string with ANSI escape codes", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/wrap-ansi@7.0.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/escalade@3.1.1", + "description": "A tiny (183B to 210B) and fast utility to ascend parent directories", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/escalade@3.1.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/get-caller-file@2.0.5", + "description": "[![Build Status](https://travis-ci.org/stefanpenner/get-caller-file.svg?branch=master)](https://travis-ci.org/stefanpenner/get-caller-file) [![Build status](https://ci.appveyor.com/api/projects/status/ol2q94g1932cy14a/branch/master?svg=true)](https://ci.a", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/get-caller-file@2.0.5?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/require-directory@2.1.1", + "description": "Recursively iterates over specified directory, require()'ing each file, and returning a nested hash structure containing those modules.", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/require-directory@2.1.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/y18n@5.0.8", + "description": "the bare-bones internationalization library used by yargs", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/y18n@5.0.8?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + }, + { + "coordinates": "pkg:npm/yargs-parser@20.2.7", + "description": "the mighty option parser used by yargs", + "reference": "https://ossindex.sonatype.org/component/pkg:npm/yargs-parser@20.2.7?utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + "vulnerabilities": [] + } +] diff --git a/unittests/tools/test_auditjs_parser.py b/unittests/tools/test_auditjs_parser.py index 0123c016bd5..90b7fed3f29 100644 --- a/unittests/tools/test_auditjs_parser.py +++ b/unittests/tools/test_auditjs_parser.py @@ -39,23 +39,57 @@ def test_auditjs_parser_with_many_vuln_has_many_findings(self): for finding in findings: for endpoint in finding.unsaved_endpoints: endpoint.clean() - # Notice that there are 13 vulnerabilities but 1 duplicate in this report - self.assertEqual(12, len(findings)) - self.assertEqual("connect", findings[0].component_name) - self.assertEqual("2.6.0", findings[0].component_version) - self.assertEqual(5.4, findings[0].cvssv3_score) + # Notice that there are 15 vulnerabilities but 1 duplicate in this report + self.assertEqual(14, len(findings)) + + # Tests for vulnerabilities with CVSS V4 vector + self.assertEqual("dompurify", findings[0].component_name) + self.assertEqual("2.5.7", findings[0].component_version) + self.assertEqual(6.4, findings[0].cvssv3_score) self.assertEqual("Medium", findings[0].severity) - self.assertEqual("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", findings[0].cvssv3) - self.assertEqual("7df31426-09a2-4b5f-a0ab-acc699023c57", findings[0].unique_id_from_tool) - self.assertEqual("connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.", + self.assertEqual(2.1, findings[1].cvssv3_score) + self.assertEqual("Low", findings[1].severity) + self.assertEqual("CVE-2024-47875", findings[0].unique_id_from_tool) + self.assertIn("DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was...", findings[0].description) - self.assertEqual("[CVE-2018-3717] connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...", + self.assertIn("\nCVSS V4 Vector:", findings[0].description) + self.assertEqual("[CVE-2024-47875] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", findings[0].title) self.assertEqual(1, len(findings[0].unsaved_vulnerability_ids)) - self.assertEqual("CVE-2018-3717", findings[0].unsaved_vulnerability_ids[0]) - self.assertEqual("https://ossindex.sonatype.org/vulnerability/7df31426-09a2-4b5f-a0ab-acc699023c57?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + self.assertEqual("CVE-2024-47875", findings[0].unsaved_vulnerability_ids[0]) + self.assertEqual("https://ossindex.sonatype.org/vulnerability/CVE-2024-47875?component-type=npm&component-name=dompurify&utm_source=auditjs&utm_medium=integration&utm_content=4.0.46", findings[0].references) - self.assertEqual(400, findings[4].cwe) + + # Tests for vulnerabilities with CVSS V3 vector + self.assertEqual("connect", findings[2].component_name) + self.assertEqual("2.6.0", findings[2].component_version) + self.assertEqual(5.4, findings[2].cvssv3_score) + self.assertEqual("Medium", findings[2].severity) + self.assertEqual("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", findings[2].cvssv3) + self.assertEqual("7df31426-09a2-4b5f-a0ab-acc699023c57", findings[2].unique_id_from_tool) + self.assertEqual("connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.", + findings[2].description) + self.assertEqual("[CVE-2018-3717] connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vuln...", + findings[2].title) + self.assertEqual(1, len(findings[2].unsaved_vulnerability_ids)) + self.assertEqual("CVE-2018-3717", findings[2].unsaved_vulnerability_ids[0]) + self.assertEqual("https://ossindex.sonatype.org/vulnerability/7df31426-09a2-4b5f-a0ab-acc699023c57?component-type=npm&component-name=connect&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + findings[2].references) + self.assertEqual(400, findings[6].cwe) + + # Tests for vulnerabilities with CVSS V2 vector + self.assertEqual("qs", findings[7].component_name) + self.assertEqual("0.5.1", findings[7].component_version) + self.assertEqual(5, findings[7].cvssv3_score) + self.assertEqual("Medium", findings[7].severity) + self.assertEqual("3a3bf289-21dc-4c84-a46e-39280f80bb01", findings[7].unique_id_from_tool) + self.assertIn("The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows...", findings[7].description) + self.assertIn("\nCVSS V2 Vector:", findings[7].description) + self.assertEqual("[CVE-2014-7191] Resource Management Errors", findings[7].title) + self.assertEqual(1, len(findings[7].unsaved_vulnerability_ids)) + self.assertEqual("CVE-2014-7191", findings[7].unsaved_vulnerability_ids[0]) + self.assertEqual("https://ossindex.sonatype.org/vulnerability/3a3bf289-21dc-4c84-a46e-39280f80bb01?component-type=npm&component-name=qs&utm_source=auditjs&utm_medium=integration&utm_content=4.0.25", + findings[7].references) def test_auditjs_parser_empty_with_error(self): with self.assertRaises(ValueError) as context, \