├── .github ├── CODEOWNERS └── workflows │ ├── release.yml │ └── test.yml ├── .gitignore ├── .npmrc ├── .snyk ├── .snyk-filter └── snyk.yml ├── README.md ├── index.js ├── lib ├── snyk-display.js └── snyk-filter.js ├── package.json ├── sample-data ├── multiple.json ├── snyk-iac-terraform-demo.json ├── snyk-sample-results.json └── vulnado_snyk_test.json ├── sample-filters ├── example-complex-combination-SCA.yml ├── example-cvss-9-or-above.yml ├── example-high-vulns-ignore-package-names.yml ├── example-high-vulns-upgradeable.yml ├── example-iac-high-or-above-issues.yml ├── example-iac-high-or-above-s3-only-issues.yml ├── example-licenses-only.yml ├── example-medium-or-above-vulns-upgradeable.yml ├── example-more-than-n-vulns └── example-vulns-only.yml └── tests ├── fixtures ├── test_filters.json └── test_results.json └── test.js /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # CS Engineering will be required for a review on every PR 2 | * @snyk-labs/cs-engineers 3 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release action 2 | on: 3 | push: 4 | branches: 5 | - master 6 | 7 | permissions: 8 | contents: read # for checkout 9 | 10 | jobs: 11 | build-and-publish: 12 | if: github.ref == 'refs/heads/master' 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: write # to be able to publish a GitHub release 16 | issues: write # to be able to comment on released issues 17 | pull-requests: write # to be able to comment on released pull requests 18 | id-token: write # to enable use of OIDC for npm provenance 19 | steps: 20 | - name: Checkout 21 | uses: actions/checkout@v3 22 | with: 23 | fetch-depth: 0 24 | - name: Setup Node.js 25 | uses: actions/setup-node@v3 26 | with: 27 | node-version: "lts/*" 28 | - name: Install dependencies 29 | run: npm install 30 | - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies 31 | run: npm audit signatures 32 | - name: Release 33 | env: 34 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 35 | NPM_TOKEN: ${{ secrets.NPM_TOKEN }} 36 | run: npx semantic-release 37 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: PR Tests 2 | on: 3 | pull_request: 4 | workflow_dispatch: 5 | jobs: 6 | security: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@master 10 | - uses: snyk/actions/setup@master 11 | - name: Setup Node.js environment 12 | uses: actions/setup-node@v2 13 | - name: Install dependencies 14 | run: | 15 | npm install 16 | - name: Run Snyk to check for vulnerabilities 17 | uses: snyk/actions/node@master 18 | env: 19 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 20 | with: 21 | args: --severity-threshold=critical 22 | npmtest: 23 | runs-on: ubuntu-latest 24 | needs: security 25 | steps: 26 | - name: Checkout 27 | uses: actions/checkout@v3 28 | - name: Setup Node.js environment 29 | uses: actions/setup-node@v2 30 | - name: Install dependencies 31 | run: | 32 | npm install semantic-release @semantic-release/exec pkg --save-dev 33 | npm install 34 | - name: Test 35 | run: npm test -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | node_modules 2 | .dccache 3 | dist 4 | -------------------------------------------------------------------------------- /.npmrc: -------------------------------------------------------------------------------- 1 | package-lock=false 2 | -------------------------------------------------------------------------------- /.snyk: -------------------------------------------------------------------------------- 1 | # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. 2 | version: v1.19.0 3 | # ignores vulnerabilities until expiry date; change duration by modifying expiry date 4 | ignore: 5 | 'npm:braces:20180219': 6 | - node-jq > bin-build > decompress > vinyl-fs > glob-stream > micromatch > braces: 7 | reason: no fix yet 8 | expires: '2019-11-09T19:08:50.450Z' 9 | - node-jq > bin-build > download > vinyl-fs > glob-stream > micromatch > braces: 10 | reason: no fix yet 11 | expires: '2019-11-09T19:08:50.450Z' 12 | - node-jq > bin-build > download > gulp-decompress > decompress > vinyl-fs > glob-stream > micromatch > braces: 13 | reason: no fix yet 14 | expires: '2019-11-09T19:08:50.450Z' 15 | 'snyk:lic:npm:tunnel-agent:Apache-2.0': 16 | - node-jq > bin-build > download > caw > tunnel-agent: 17 | reason: None given 18 | expires: '2019-11-09T19:08:50.450Z' 19 | - node-jq > download > caw > tunnel-agent: 20 | reason: None given 21 | expires: '2019-11-09T19:08:50.450Z' 22 | SNYK-JS-DECOMPRESS-557358: 23 | - node-jq > bin-build > decompress: 24 | reason: no fix avail yet 25 | expires: '2020-04-11T08:48:22.379Z' 26 | - node-jq > download > decompress: 27 | reason: no fix avail yet 28 | expires: '2020-04-11T08:48:22.379Z' 29 | - node-jq > bin-build > download > decompress: 30 | reason: no fix avail yet 31 | expires: '2020-04-11T08:48:22.379Z' 32 | SNYK-JS-DECOMPRESSTAR-559095: 33 | - '*': 34 | reason: None Given 35 | expires: 2021-05-01T00:00:00.000Z 36 | created: 2021-03-16T04:06:57.018Z 37 | SNYK-JS-MINIMIST-559764: 38 | - snyk > @snyk/update-notifier > latest-version > package-json > registry-auth-token > rc > minimist: 39 | reason: no fix avail yet 40 | expires: '2020-04-11T08:48:22.380Z' 41 | - snyk > @snyk/update-notifier > latest-version > package-json > registry-url > rc > minimist: 42 | reason: no fix avail yet 43 | expires: '2020-04-11T08:48:22.380Z' 44 | # patches apply the minimum changes required to fix a vulnerability 45 | patch: 46 | SNYK-JS-TREEKILL-536781: 47 | - snyk > snyk-sbt-plugin > tree-kill: 48 | patched: '2019-12-12T03:22:16.355Z' 49 | SNYK-JS-LODASH-567746: 50 | - lodash: 51 | patched: '2020-05-01T03:24:10.058Z' 52 | - snyk > @snyk/dep-graph > lodash: 53 | patched: '2020-05-01T03:24:10.058Z' 54 | - snyk > inquirer > lodash: 55 | patched: '2020-05-01T03:24:10.058Z' 56 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/dep-graph > lodash: 57 | patched: '2020-05-01T03:24:10.058Z' 58 | - snyk > snyk-nuget-plugin > dotnet-deps-parser > lodash: 59 | patched: '2020-05-01T03:24:10.058Z' 60 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/cocoapods-lockfile-parser > @snyk/ruby-semver > lodash: 61 | patched: '2020-05-01T03:24:10.058Z' 62 | - snyk > lodash: 63 | patched: '2020-05-01T03:24:10.058Z' 64 | - snyk > snyk-config > lodash: 65 | patched: '2020-05-01T03:24:10.058Z' 66 | - snyk > snyk-mvn-plugin > lodash: 67 | patched: '2020-05-01T03:24:10.058Z' 68 | - snyk > snyk-nodejs-lockfile-parser > lodash: 69 | patched: '2020-05-01T03:24:10.058Z' 70 | - snyk > snyk-nuget-plugin > lodash: 71 | patched: '2020-05-01T03:24:10.058Z' 72 | - snyk > @snyk/dep-graph > graphlib > lodash: 73 | patched: '2020-05-01T03:24:10.058Z' 74 | - snyk > snyk-go-plugin > graphlib > lodash: 75 | patched: '2020-05-01T03:24:10.058Z' 76 | - snyk > snyk-nodejs-lockfile-parser > graphlib > lodash: 77 | patched: '2020-05-01T03:24:10.058Z' 78 | - snyk > snyk-php-plugin > @snyk/composer-lockfile-parser > lodash: 79 | patched: '2020-05-01T03:24:10.058Z' 80 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/dep-graph > graphlib > lodash: 81 | patched: '2020-05-01T03:24:10.058Z' 82 | - snyk > @snyk/snyk-cocoapods-plugin > @snyk/cocoapods-lockfile-parser > @snyk/dep-graph > graphlib > lodash: 83 | patched: '2020-05-01T03:24:10.058Z' 84 | -------------------------------------------------------------------------------- /.snyk-filter/snyk.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if .isUpgradable == true and .severity == \"high\" then . else empty end)" 4 | pass: "[.vulnerabilities[] | select(.severity == \"high\" and .isUpgradable == true)] | length" 5 | msg: "High Severity issues detected. Please review upgrade steps" 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Snyk logo](https://snyk.io/style/asset/logo/snyk-print.svg)](https://snyk.io) 2 | 3 | *** 4 | 5 | # Custom Filtering for Snyk CLI 6 | snyk-filter takes the JSON outputted from the [Snyk CLI](https://support.snyk.io/hc/en-us/articles/360003812578-CLI-reference), e.g. `snyk test --json` and applies custom filtering of the results, as well as options to fail your build. 7 | 8 | [![Known Vulnerabilities](https://snyk.io//test/github/snyk-tech-services/snyk-filter/badge.svg?targetFile=package.json)](https://snyk.io//test/github/snyk-tech-services/snyk-filter?targetFile=package.json) 9 | [![CircleCI](https://circleci.com/gh/snyk-tech-services/snyk-filter.svg?style=svg)](https://circleci.com/gh/snyk-tech-services/snyk-filter) 10 | [![Inactively Maintained](https://img.shields.io/badge/Maintenance%20Level-Inactively%20Maintained-yellowgreen.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d) 11 | 12 | 13 | **This repository is in maintenance mode, no new features are being developed. Bug & security fixes will continue to be delivered. Open source contributions are welcome for small features & fixes (no breaking changes)** 14 | 15 | # How do I use it? 16 | 17 | ## Install 18 | `npm i -g snyk-filter` 19 | 20 | ### Note about `node-jq` 21 | 22 | snyk-filter uses the `node-jq` library, which requires that a [`jq`](https://stedolan.github.io/jq/) binary is installed. This typically happens transparently via `npm install -g`, but on some systems JQ does not get properly installed locally. If you receive an error after installation regarding `node-jq`, then `jq` should be installed manually to avoid this error. 23 | 24 | ``` 25 | # install jq ahead of time (ubuntu example) 26 | sudo apt-get install -y jq 27 | 28 | # tell node-jq to skip trying to install it on its own 29 | export NODE_JQ_SKIP_INSTALL_BINARY=true 30 | 31 | # tell node-jq where the existing jq binary is 32 | export JQ_PATH=$(which jq) 33 | 34 | # finally, install snyk-filter (does not work with node version > 12) 35 | sudo npm install -g 36 | ``` 37 | 38 | ## Usage 39 | 40 | 1. Implement your custom JQ filters in a .snyk-filter/snyk.yml file relative to your current working directory where you will be running snyk test from (see in [sample-filters](https://github.com/snyk-tech-services/snyk-filter/tree/develop/sample-filters) and tweak things from there - use [JQPlay](https://jqplay.org/) ) 41 | 42 | 2. Then pipe your `snyk test --json` output into `snyk-filter` or use the `-i` argument to input a json file. Use the `-f` argument to point to the yml file containing your custom filters if you are not using the default location (.snyk-filter/snyk.yml). 43 | 44 | 3. Return code of snyk-filter will be 0 for pass (no issues) and 1 for fail (issues found) 45 | 46 | ### Example with Snyk CLI (using .snyk-filter/snyk.yml by default) 47 | `snyk test --json | snyk-filter` 48 | 49 | ### Example with Snyk CLI and custom yml file location 50 | `snyk test --json | snyk-filter -f /path/to/example-cvss-9-or-above.yml` 51 | 52 | ### Example 53 | `snyk-filter -i snyk_results.json` 54 | 55 | ### Example with custom yml file location 56 | `snyk-filter -i snyk_results.json -f /path/to/example-high-upgradeable-vulns.yml` 57 | 58 | ## Options 59 | `--json` to output json 60 | 61 | ### License 62 | 63 | [License: Apache License, Version 2.0](LICENSE) 64 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | 3 | var debug = require('debug')('index') 4 | var fs = require('fs'); 5 | var snykFilter = require('./lib/snyk-filter.js'); 6 | var argv = require('minimist')(process.argv.slice(2)); 7 | var os = require('os'); 8 | var path = require('path'); 9 | var template, source, output; 10 | var options = {}; 11 | 12 | if (argv.i) { // input source 13 | source = argv.i; // grab the next item 14 | if (typeof source === 'boolean') { 15 | source = undefined; 16 | } 17 | } 18 | if (argv.o) { // output destination 19 | output = argv.o; // grab the next item 20 | if (typeof output === 'boolean') { 21 | output = undefined; 22 | } 23 | } 24 | if (argv.json) { // output destination 25 | options = {"json": true}; 26 | } 27 | if (argv.f) { // output destination 28 | 29 | filters = argv.f; 30 | 31 | if (typeof output === 'boolean') { 32 | output = undefined; 33 | } 34 | } else { 35 | filters = path.join(process.cwd(), "/.snyk-filter/snyk.yml"); 36 | } 37 | 38 | 39 | 40 | snykFilter.run(source, onReportOutput, filters, options); 41 | 42 | function onReportOutput(report) { 43 | if (output) { 44 | fs.writeFile(output, report, function (err) { 45 | if (err) { 46 | return console.log(err); 47 | } 48 | console.log('Vulnerability snapshot saved at ' + output); 49 | }); 50 | } else { 51 | console.log(report); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /lib/snyk-display.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | var debug = require("debug")("snyk-display"); 3 | 4 | const chalk = require("chalk"); 5 | 6 | var ROOT = "https://snyk.io"; 7 | 8 | module.exports = { 9 | displayResult: displayResult, 10 | displayIACResult: displayIACResult, 11 | }; 12 | 13 | function displayIACResult(res, options, originalData) { 14 | debug("options: " + options); 15 | 16 | var meta = metaForIACDisplay(res, options, originalData) + "\n\n"; 17 | 18 | var interIssueSep = `\n\n-----\n`; 19 | var summary = `Tested ${originalData.projectName} ${originalData.targetFile}/${originalData.projectType} for known issues\n`; 20 | 21 | // handle errors by extracting their message 22 | if (res instanceof Error) { 23 | return res.message; 24 | } 25 | 26 | if (res.length === 0) { 27 | summary += chalk.green("✓ No issues found"); 28 | 29 | if (options.severityThreshold) { 30 | summary += chalk.yellow( 31 | "\n\nCAUTION! Your severity setting might have hidden some issues below the threshold chosen. Make sure to review the unfiltered results." 32 | ); 33 | } 34 | 35 | return ( 36 | chalk.bold("Testing " + options.path + "...\n") + 37 | meta + 38 | summary + 39 | interIssueSep 40 | ); 41 | } 42 | 43 | var count = `found ${res.length} issues `; 44 | 45 | summary += chalk.red.bold(count); 46 | 47 | var sep = "\n\n"; 48 | 49 | var issues = res; 50 | 51 | var body = 52 | (issues || []) 53 | .map(function (issue) { 54 | var res = ""; 55 | var name = issue.title; 56 | var severity = issue.severity.toUpperCase(); 57 | res += chalk.red( 58 | "✗ " + severity + " severity issue found on " + name + "\n" 59 | ); 60 | res += "- issue: " + issue.iacDescription.issue + "\n"; 61 | res += "- impact: " + issue.iacDescription.impact + "\n"; 62 | res += `- info: ${issue.id} of ${issue.subType}/${issue.type} type\n`; 63 | res += `- resolution: ${issue.iacDescription.resolve} \n`; 64 | 65 | res += `- path: ${issue.path.join("=>")}\n`; 66 | res += `- line number: ${issue.lineNumber}`; 67 | 68 | return res; 69 | }) 70 | .filter(Boolean) 71 | .join(sep) + 72 | sep + 73 | meta + 74 | summary + 75 | interIssueSep; 76 | 77 | return chalk.bold("\nTesting " + options.path + "...\n") + body; 78 | } 79 | 80 | function displayResult(res, options) { 81 | debug("options: " + options); 82 | 83 | var meta = metaForDisplay(res, options) + "\n\n"; 84 | var packageManager = options.packageManager; 85 | var summary = "Tested "; 86 | 87 | // handle errors by extracting their message 88 | if (res instanceof Error) { 89 | return res.message; 90 | } 91 | 92 | // real `test` result object, let's describe it 93 | if (res.hasOwnProperty("dependencyCount")) { 94 | summary += res.dependencyCount + " dependencies"; 95 | } else { 96 | summary += options.path; 97 | } 98 | var issues = res.licensesPolicy ? "issues" : "vulnerabilities"; 99 | summary += " for known " + issues; 100 | 101 | if (res.ok && res.vulnerabilities.length === 0) { 102 | var vulnPaths = options.showVulnPaths 103 | ? ", no vulnerable paths found." 104 | : ", none were found."; 105 | summary = chalk.green("✓ " + summary + vulnPaths); 106 | 107 | if (options.severityThreshold) { 108 | summary += chalk.yellow( 109 | "\n\nCAUTION! Your severity setting might have hidden some vulnerabilities below the threshold chosen. Make sure to review the unfiltered results." 110 | ); 111 | } 112 | 113 | return chalk.bold("\nTesting " + options.path + "...\n") + meta + summary; 114 | } 115 | 116 | var vulnLength = res.vulnerabilities && res.vulnerabilities.length; 117 | var count = "found " + res.uniqueCount; 118 | if (res.uniqueCount === 1) { 119 | var issue = res.licensesPolicy ? "issue" : "vulnerability"; 120 | count += " " + issue + ", "; 121 | } else { 122 | count += " " + (res.licensesPolicy ? "issues" : "vulnerabilities") + ", "; 123 | } 124 | if (options.showVulnPaths) { 125 | count += vulnLength + " vulnerable "; 126 | 127 | if (res.vulnerabilities && res.vulnerabilities.length === 1) { 128 | count += "path."; 129 | } else { 130 | count += "paths."; 131 | } 132 | } else { 133 | count = count.slice(0, -2) + "."; // replace ', ' with dot 134 | } 135 | //summary = summary + ', ' + chalk.red.bold(count); 136 | 137 | if (packageManager === "npm" || packageManager === "yarn") { 138 | summary += "\n\nRun `snyk wizard` to address these issues."; 139 | } 140 | 141 | var sep = "\n\n"; 142 | 143 | var reportedVulns = {}; 144 | var body = 145 | (res.vulnerabilities || []) 146 | .map(function (vuln) { 147 | if (!options.showVulnPaths && reportedVulns[vuln.id]) { 148 | return; 149 | } 150 | reportedVulns[vuln.id] = true; 151 | 152 | var res = ""; 153 | var name = vuln.name + "@" + vuln.version; 154 | var severity = vuln.severity[0].toUpperCase() + vuln.severity.slice(1); 155 | var issue = vuln.type === "license" ? "issue" : "vulnerability"; 156 | res += chalk.red( 157 | "✗ " + severity + " severity " + issue + " found on " + name + "\n" 158 | ); 159 | res += "- desc: " + vuln.title + "\n"; 160 | res += "- info: " + ROOT + "/vuln/" + vuln.id + "\n"; 161 | if (options.showVulnPaths) { 162 | res += "- from: " + vuln.from.join(" > ") + "\n"; 163 | } 164 | if (vuln.note) { 165 | res += vuln.note + "\n"; 166 | } 167 | 168 | // none of the output past this point is relevant if we're not displaying 169 | // vulnerable paths 170 | if (!options.showVulnPaths) { 171 | return res.trim(); 172 | } 173 | 174 | var upgradeSteps = (vuln.upgradePath || []).filter(Boolean); 175 | 176 | // Remediation instructions (if we have one) 177 | if (upgradeSteps.length) { 178 | // Create upgrade text 179 | var upgradeText = upgradeSteps.shift(); 180 | upgradeText += upgradeSteps.length 181 | ? " (triggers upgrades to " + upgradeSteps.join(" > ") + ")" 182 | : ""; 183 | 184 | var fix = ""; // = 'Fix:\n'; 185 | for (var idx = 0; idx < vuln.upgradePath.length; idx++) { 186 | var elem = vuln.upgradePath[idx]; 187 | 188 | if (elem) { 189 | // Check if we're suggesting to upgrade to ourselves. 190 | if (vuln.from.length > idx && vuln.from[idx] === elem) { 191 | // This ver should get the not-vuln dependency, suggest refresh 192 | fix += 193 | "Your dependencies are out of date, otherwise you would " + 194 | "be using a newer " + 195 | vuln.name + 196 | " than " + 197 | vuln.name + 198 | "@" + 199 | vuln.version + 200 | ".\n"; 201 | if (packageManager === "npm") { 202 | fix += 203 | "Try deleting node_modules, reinstalling " + 204 | "and running `snyk test` again.\nIf the problem persists, " + 205 | "one of your dependencies may be bundling outdated modules."; 206 | } else if (packageManager === "rubygems") { 207 | fix += 208 | "Try running `bundle update " + 209 | vuln.name + 210 | "` " + 211 | "and running `snyk test` again."; 212 | } 213 | break; 214 | } 215 | if (idx === 0) { 216 | // This is an outdated version of yourself 217 | fix += 218 | "You've tested an outdated version of the project. " + 219 | "Should be upgraded to " + 220 | upgradeText; 221 | } else if (idx === 1) { 222 | // A direct dependency needs upgrade. Nothing to add. 223 | fix += 224 | "Upgrade direct dependency " + 225 | vuln.from[idx] + 226 | " to " + 227 | upgradeText; 228 | } else { 229 | // A deep dependency needs to be upgraded 230 | res += 231 | "No direct dependency upgrade can address this issue.\n" + 232 | chalk.bold( 233 | "Run `snyk wizard` to explore remediation options." 234 | ); 235 | } 236 | break; 237 | } 238 | } 239 | res += chalk.bold(fix); 240 | } else { 241 | if (vuln.type === "license") { 242 | // do not display fix (there isn't any), remove newline 243 | res = res.slice(0, -1); 244 | } else if (packageManager === "npm") { 245 | res += chalk.magenta( 246 | "Fix: None available. Consider removing this dependency." 247 | ); 248 | } 249 | } 250 | 251 | return res; 252 | }) 253 | .filter(Boolean) 254 | .join(sep) + 255 | sep + 256 | meta + 257 | summary; 258 | 259 | return chalk.bold("\nTesting " + options.path + "...\n") + body; 260 | } 261 | 262 | function metaForDisplay(res, options) { 263 | var meta = [ 264 | chalk.bold("Organisation: ") + res.org, 265 | // chalk.bold('Package manager: ') + 266 | // (options.packageManager | res.packageManager), 267 | //chalk.bold('Target file: ') + options.file, 268 | //chalk.bold('Open source: ') + (res.isPrivate ? 'no' : 'yes'), 269 | ]; 270 | if (res.filesystemPolicy) { 271 | meta.push("Local Snyk policy found"); 272 | if (res.ignoreSettings && res.ignoreSettings.disregardFilesystemIgnores) { 273 | meta.push("Local Snyk policy ignores disregarded"); 274 | } 275 | } 276 | if (res.licensesPolicy) { 277 | meta.push("Licenses enabled"); 278 | } 279 | 280 | return meta.join("\n"); 281 | } 282 | 283 | function metaForIACDisplay(res, options, originalData) { 284 | var meta = [ 285 | chalk.bold("Organisation: ") + originalData.org, 286 | // chalk.bold('Package manager: ') + 287 | // (options.packageManager | res.packageManager), 288 | //chalk.bold('Target file: ') + options.file, 289 | //chalk.bold('Open source: ') + (res.isPrivate ? 'no' : 'yes'), 290 | ]; 291 | if (originalData.filesystemPolicy) { 292 | meta.push("Local Snyk policy found"); 293 | if ( 294 | originalData.ignoreSettings && 295 | originalData.ignoreSettings.disregardFilesystemIgnores 296 | ) { 297 | meta.push("Local Snyk policy ignores disregarded"); 298 | } 299 | } 300 | 301 | return meta.join("\n"); 302 | } 303 | -------------------------------------------------------------------------------- /lib/snyk-filter.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | var debug = require("debug")("snyk-filter"); 3 | const yaml = require("js-yaml"); 4 | const fs = require("fs"); 5 | const path = require("path"); 6 | const jq = require("node-jq"); 7 | const chalk = require("chalk"); 8 | 9 | var snykDisplay = require("./snyk-display.js"); 10 | var customFilters; // = require('../sample-filters/filters.json'); 11 | 12 | module.exports = { 13 | run: run, 14 | processResults: processResults, 15 | filter: filter, 16 | pass: pass, 17 | }; 18 | var options = { 19 | showVulnPaths: true, 20 | path: path.dirname(__dirname).split(path.sep).pop(), 21 | }; 22 | 23 | function onDataCallback(data, reportCallback) { 24 | const jqFilterString = customFilters.filter; 25 | const jqPassString = customFilters.pass; 26 | const failMsg = customFilters.msg; 27 | data = JSON.parse(data); 28 | if (Array.isArray(data)) { 29 | data.map((dataItem) => { 30 | processResults(dataItem, jqFilterString, jqPassString, failMsg); 31 | }); 32 | } else { 33 | processResults(data, jqFilterString, jqPassString, failMsg); 34 | } 35 | } 36 | 37 | function readInputFromFile(source, reportCallback) { 38 | fs.readFile(source, "utf8", function (err, data) { 39 | if (err) { 40 | throw err; 41 | } 42 | onDataCallback(data, reportCallback); 43 | }); 44 | } 45 | 46 | function readInputFromStdin(reportCallback) { 47 | var data = ""; 48 | process.stdin.setEncoding("utf8"); 49 | process.stdin.on("readable", function () { 50 | var chunk = process.stdin.read(); 51 | if (chunk !== null) { 52 | data += chunk; 53 | } 54 | }); 55 | process.stdin.on("end", function () { 56 | onDataCallback(data, reportCallback); 57 | }); 58 | } 59 | 60 | function run(source, reportCallback, filters, cliOptions = null) { 61 | //options = options; 62 | 63 | try { 64 | var ymlFileInJSON = yaml.load(fs.readFileSync(filters, "utf8")); 65 | customFilters = ymlFileInJSON.customFilters; 66 | debug(customFilters); 67 | } catch (e) { 68 | console.log("Error loading yml file" + e); 69 | } 70 | 71 | if (cliOptions && cliOptions.json) options.json = cliOptions.json; 72 | 73 | try { 74 | if (source) { 75 | readInputFromFile(source, reportCallback); 76 | } else { 77 | readInputFromStdin(reportCallback); 78 | } 79 | } catch (error) { 80 | debug("error reading input: " + error); 81 | } 82 | } 83 | 84 | function processResults(data, filterString, passString, failMsg) { 85 | filter(data, filterString) 86 | //.then((filteredData) => aggregate(filteredData)) 87 | //.then((processedData) => {reportCallback(processedData)}) 88 | .then((processedData) => { 89 | if (options && options.json) { 90 | console.warn("json output enabled"); 91 | console.log(JSON.stringify(processedData, null, 2)); 92 | } else if (data.infrastructureAsCodeIssues) { 93 | var response = snykDisplay.displayIACResult( 94 | processedData, 95 | options, 96 | data 97 | ); 98 | console.log(response); 99 | } else { 100 | var response = snykDisplay.displayResult(processedData, options); 101 | console.log(response); 102 | } 103 | }) 104 | .catch((error) => { 105 | console.error("filter failed"); 106 | }) 107 | .then(() => pass(data, passString, failMsg)) 108 | .then(() => { 109 | return 0; 110 | }) 111 | .catch((error) => { 112 | console.error(error); 113 | throw new Error(error); 114 | }); 115 | } 116 | 117 | function filter(data, filterString) { 118 | return new Promise((resolve, reject) => { 119 | //const filter = '[.vulnerabilities[] | select(.isUpgradable == true and .severity == "high") | {"vulns": .title, "sev":.severity, "upgradable":.isUpgradable, "link": ("https://snyk.io/vuln/"+.id), "module": .moduleName }]'; 120 | //const filter = 'select(.vulnerabilities | map( select(.packageName | contains("bson") | not)))'; 121 | const filter = filterString; 122 | const options = { input: "json", output: "json" }; 123 | jq.run(filter, data, options) 124 | .then((output) => { 125 | resolve(output); 126 | }) 127 | .catch((err) => { 128 | console.error(err); 129 | reject(err); 130 | }); 131 | }); 132 | } 133 | 134 | // function aggregate(data) { 135 | // return new Promise((resolve,reject) => { 136 | // const aggregate = '. | unique | group_by(.module)'; 137 | // const options = { input: 'json', output: 'json' }; 138 | // 139 | // jq.run(aggregate, data, options) 140 | // .then((output) => { 141 | // resolve(output); 142 | // }) 143 | // .catch((err) => { 144 | // console.error(err) 145 | // reject(err); 146 | // }) 147 | // }); 148 | // } 149 | 150 | function pass(data, passString, passFailMsg) { 151 | return new Promise((resolve, reject) => { 152 | const query = passString; 153 | const options = { input: "json", output: "json" }; 154 | jq.run(query, data, options) 155 | .then((output) => { 156 | if (output == 0) { 157 | console.info( 158 | `${chalk.yellow( 159 | data.projectName || data.path 160 | )} - No issues found after custom filtering` 161 | ); 162 | resolve(true); 163 | } else { 164 | reject( 165 | `${chalk.yellow(data.projectName || data.path)} - ${passFailMsg}` 166 | ); 167 | } 168 | }) 169 | .catch((err) => { 170 | console.error("err"); 171 | reject(err); 172 | }); 173 | }); 174 | } 175 | 176 | process.on("unhandledRejection", (error) => { 177 | // Prints "unhandledRejection woops!" 178 | console.error("Snyk Test Failed"); 179 | process.exit(1); 180 | }); 181 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "snyk-filter", 3 | "version": "1.0.0", 4 | "description": "Module to consume json output from Snyk CLI for advanced filtering and results display", 5 | "main": "index.js", 6 | "scripts": { 7 | "test": "mocha ./tests && npm run lint", 8 | "snyk-protect": "npx @snyk/protect", 9 | "prepare": "npm run snyk-protect", 10 | "lint": "prettier --check **/*.js", 11 | "format": "prettier --write **/*.js" 12 | }, 13 | "author": "Antoine Arlaud, antoine@snyk.io", 14 | "license": "ISC", 15 | "bin": { 16 | "snyk-filter": "./index.js" 17 | }, 18 | "dependencies": { 19 | "chalk": "4.1.2", 20 | "debug": "4.3.4", 21 | "is-relative": "1.0.0", 22 | "js-yaml": "4.1.0", 23 | "lodash": "4.17.21", 24 | "minimist": "1.2.8", 25 | "node-jq": "2.3.5", 26 | "mkdirp": "0.5.2", 27 | "cacheable-request": "3.0.0" 28 | }, 29 | "devDependencies": { 30 | "mocha": "10.1.0", 31 | "prettier": "2.8.8" 32 | }, 33 | "engines": { 34 | "node": ">=10" 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /sample-data/snyk-iac-terraform-demo.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "meta": { 4 | "isPrivate": true, 5 | "isLicensesEnabled": false, 6 | "policy": "", 7 | "ignoreSettings": null, 8 | "projectId": "", 9 | "org": "playground" 10 | }, 11 | "filesystemPolicy": false, 12 | "vulnerabilities": [], 13 | "dependencyCount": 0, 14 | "licensesPolicy": null, 15 | "ignoreSettings": null, 16 | "targetFile": "main.tf", 17 | "projectName": "snyk-iac-terraform-demo", 18 | "org": "playground", 19 | "policy": "", 20 | "isPrivate": true, 21 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/main.tf", 22 | "packageManager": "terraformconfig", 23 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 24 | "projectType": "terraformconfig", 25 | "ok": false, 26 | "infrastructureAsCodeIssues": [ 27 | { 28 | "id": "SNYK-CC-TF-9", 29 | "title": "IAM password should contain symbols", 30 | "type": "aws", 31 | "subType": "IAM", 32 | "severity": "medium", 33 | "isIgnored": false, 34 | "iacDescription": { 35 | "issue": "Your password does not contain symbols", 36 | "impact": "Your password is not following the recommended security practices and is not as strong as it should be", 37 | "remediation": null, 38 | "resolve": "Set the `require_symbols` attribute to be `true` to increase the strength of your password" 39 | }, 40 | "lineNumber": 11, 41 | "path": [ 42 | "input", 43 | "resource", 44 | "aws_iam_account_password_policy[strict]", 45 | "require_symbols" 46 | ] 47 | }, 48 | { 49 | "id": "SNYK-CC-TF-8", 50 | "title": "IAM password should contain lowercase", 51 | "type": "aws", 52 | "subType": "IAM", 53 | "severity": "medium", 54 | "isIgnored": false, 55 | "iacDescription": { 56 | "issue": "Your password does not contain lowercase characters", 57 | "impact": "Your password is not following the recommended security practices and is not as strong as it should be", 58 | "remediation": null, 59 | "resolve": "Set the `require_lowercase` attribute to be `true` to increase the strength of your password" 60 | }, 61 | "lineNumber": 11, 62 | "path": [ 63 | "input", 64 | "resource", 65 | "aws_iam_account_password_policy[strict]", 66 | "require_lowercase_characters" 67 | ] 68 | }, 69 | { 70 | "id": "SNYK-CC-TF-74", 71 | "title": "Credentials are configured via provider attributes", 72 | "type": "aws", 73 | "subType": "Provider", 74 | "severity": "high", 75 | "isIgnored": false, 76 | "iacDescription": { 77 | "issue": "Credentials are configured via provider attributes", 78 | "impact": "Use of provider attributes can lead to accidental disclosure of credentials in configuration files, variable definition files, event logs or console logs", 79 | "remediation": null, 80 | "resolve": "Set access credentials via environment variables, and remove `access_key` and `secret_key` attributes from the configuration" 81 | }, 82 | "lineNumber": 1, 83 | "path": [ 84 | "provider[aws]" 85 | ] 86 | }, 87 | { 88 | "id": "SNYK-CC-TF-7", 89 | "title": "IAM password should contain uppercase", 90 | "type": "aws", 91 | "subType": "IAM", 92 | "severity": "medium", 93 | "isIgnored": false, 94 | "iacDescription": { 95 | "issue": "Your password does not contain uppercase characters", 96 | "impact": "Your password is not following the recommended security practices and is not as strong as it should be", 97 | "remediation": null, 98 | "resolve": "Set the `require_uppercase` attribute to be `true` to increase the strength of your password" 99 | }, 100 | "lineNumber": 11, 101 | "path": [ 102 | "input", 103 | "resource", 104 | "aws_iam_account_password_policy[strict]", 105 | "require_uppercase_characters" 106 | ] 107 | }, 108 | { 109 | "id": "SNYK-CC-TF-11", 110 | "title": "IAM requires minimum password length", 111 | "type": "aws", 112 | "subType": "IAM", 113 | "severity": "medium", 114 | "isIgnored": false, 115 | "iacDescription": { 116 | "issue": "Your password does not enforce a minimum length", 117 | "impact": "Your password is not following the recommended security practices and is not as strong as it should be", 118 | "remediation": null, 119 | "resolve": "Set the `minimum_password_length` attribute to be at least `14` to increase the strength of your password" 120 | }, 121 | "lineNumber": 12, 122 | "path": [ 123 | "input", 124 | "resource", 125 | "aws_iam_account_password_policy[strict]", 126 | "minimum_password_length" 127 | ] 128 | }, 129 | { 130 | "id": "SNYK-CC-TF-10", 131 | "title": "IAM password should contain numbers", 132 | "type": "aws", 133 | "subType": "IAM", 134 | "severity": "medium", 135 | "isIgnored": false, 136 | "iacDescription": { 137 | "issue": "Your password does not contain numbers", 138 | "impact": "Your password is not following the recommended security practices and is not as strong as it should be", 139 | "remediation": null, 140 | "resolve": "Set the `require_numbers` attribute to be `true` to increase the strength of your password" 141 | }, 142 | "lineNumber": 11, 143 | "path": [ 144 | "input", 145 | "resource", 146 | "aws_iam_account_password_policy[strict]", 147 | "require_numbers" 148 | ] 149 | } 150 | ] 151 | }, 152 | { 153 | "meta": { 154 | "isPrivate": true, 155 | "isLicensesEnabled": false, 156 | "policy": "", 157 | "ignoreSettings": null, 158 | "projectId": "", 159 | "org": "playground" 160 | }, 161 | "filesystemPolicy": false, 162 | "vulnerabilities": [], 163 | "dependencyCount": 0, 164 | "licensesPolicy": null, 165 | "ignoreSettings": null, 166 | "targetFile": "main.tf", 167 | "projectName": "cloudtrail", 168 | "org": "playground", 169 | "policy": "", 170 | "isPrivate": true, 171 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/modules/cloudtrail/main.tf", 172 | "packageManager": "terraformconfig", 173 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 174 | "projectType": "terraformconfig", 175 | "ok": false, 176 | "infrastructureAsCodeIssues": [ 177 | { 178 | "id": "SNYK-CC-TF-256", 179 | "title": "CloudTrail not integrated with CloudWatch", 180 | "type": "aws", 181 | "subType": "CloudTrail", 182 | "severity": "low", 183 | "isIgnored": false, 184 | "iacDescription": { 185 | "issue": "CloudTrail does not deliver logs to CloudWatch", 186 | "impact": "Alarms cannot be configured to alert on CloudTrail events", 187 | "remediation": { 188 | "cloudformation": "Set `Properties.CloudWatchLogsLogGroupArn` attribute to cloudwatch log group ARN", 189 | "terraform": "Set `cloud_watch_logs_group_arn` attribute to cloudwatch log group ARN" 190 | }, 191 | "resolve": "Set `cloud_watch_logs_group_arn` attribute to cloudwatch log group ARN" 192 | }, 193 | "lineNumber": 1, 194 | "path": [ 195 | "resource", 196 | "aws_cloudtrail[insecure-logging]", 197 | "cloud_watch_logs_group_arn" 198 | ] 199 | }, 200 | { 201 | "id": "SNYK-CC-TF-17", 202 | "title": "CloudTrail logs are not encrypted with managed key", 203 | "type": "aws", 204 | "subType": "CloudTrail", 205 | "severity": "low", 206 | "isIgnored": false, 207 | "iacDescription": { 208 | "issue": "The CloudTrail logs are not encrypted with managed key", 209 | "impact": "IAM policies cannot be used to control access to the decryption keys", 210 | "remediation": { 211 | "cloudformation": "Set `KMSKeyId` attribute to valid KMS key id", 212 | "terraform": "Set `kms_key_id` attribute to valid KMS key id" 213 | }, 214 | "resolve": "Set `kms_key_id` attribute to valid KMS key id" 215 | }, 216 | "lineNumber": 1, 217 | "path": [ 218 | "input", 219 | "resource", 220 | "aws_cloudtrail[insecure-logging]", 221 | "kms_key_id" 222 | ] 223 | }, 224 | { 225 | "id": "SNYK-CC-TF-16", 226 | "title": "CloudTrail does not have log file validation enabled", 227 | "type": "aws", 228 | "subType": "CloudTrail", 229 | "severity": "medium", 230 | "isIgnored": false, 231 | "iacDescription": { 232 | "issue": "The CloudTrail logs integrity is not been enforced", 233 | "impact": "You cannot trust the integrity of the log files and determine whether they have been tampered with.", 234 | "remediation": { 235 | "cloudformation": "Set the `Properties.EnableLogFileValidation` attribute to `true`", 236 | "terraform": "Set the `enable_log_file_validation` attribute to `true`" 237 | }, 238 | "resolve": "Set the `enable_log_file_validation` attribute to `true`" 239 | }, 240 | "lineNumber": 1, 241 | "path": [ 242 | "input", 243 | "resource", 244 | "aws_cloudtrail[insecure-logging]", 245 | "enable_log_file_validation" 246 | ] 247 | }, 248 | { 249 | "id": "SNYK-CC-TF-15", 250 | "title": "CloudTrail has logging disabled", 251 | "type": "aws", 252 | "subType": "CloudTrail", 253 | "severity": "high", 254 | "isIgnored": false, 255 | "iacDescription": { 256 | "issue": "Logs are not being kept for your CloudTrail activity", 257 | "impact": "That you cannot keep a record of all access and events on your account", 258 | "remediation": { 259 | "cloudformation": "Set the `Properties.IsLogging` attribute to `true`", 260 | "terraform": "Set the `enable_logging` attribute to `true`" 261 | }, 262 | "resolve": "Set the `enable_logging` attribute to `true`" 263 | }, 264 | "lineNumber": 4, 265 | "path": [ 266 | "input", 267 | "resource", 268 | "aws_cloudtrail[insecure-logging]", 269 | "enable_logging" 270 | ] 271 | }, 272 | { 273 | "id": "SNYK-CC-TF-135", 274 | "title": "CloudTrail does not include all regions", 275 | "type": "aws", 276 | "subType": "CloudTrail", 277 | "severity": "low", 278 | "isIgnored": false, 279 | "iacDescription": { 280 | "issue": "Amazon CloudTrail is not enabled for all regions", 281 | "impact": "Logs will not be collected in all the regions", 282 | "remediation": { 283 | "cloudformation": "Set `Properties.IsMultiRegionTrail` attribute to `true`", 284 | "terraform": "Set `is_multi_region_trail` attribute to `true`" 285 | }, 286 | "resolve": "Set `is_multi_region_trail` attribute to `true`" 287 | }, 288 | "lineNumber": 1, 289 | "path": [ 290 | "resource", 291 | "aws_cloudtrail[insecure-logging]", 292 | "is_multi_region_trail" 293 | ] 294 | } 295 | ] 296 | }, 297 | { 298 | "meta": { 299 | "isPrivate": true, 300 | "isLicensesEnabled": false, 301 | "policy": "", 302 | "ignoreSettings": null, 303 | "projectId": "", 304 | "org": "playground" 305 | }, 306 | "filesystemPolicy": false, 307 | "vulnerabilities": [], 308 | "dependencyCount": 0, 309 | "licensesPolicy": null, 310 | "ignoreSettings": null, 311 | "targetFile": "main.tf", 312 | "projectName": "pki", 313 | "org": "playground", 314 | "policy": "", 315 | "isPrivate": true, 316 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/modules/pki/main.tf", 317 | "packageManager": "terraformconfig", 318 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 319 | "projectType": "terraformconfig", 320 | "ok": false, 321 | "infrastructureAsCodeIssues": [ 322 | { 323 | "id": "SNYK-CC-TF-14", 324 | "title": "KMS key does not have key rotation enabled", 325 | "type": "aws", 326 | "subType": "KMS", 327 | "severity": "low", 328 | "isIgnored": false, 329 | "iacDescription": { 330 | "issue": "That your encryption keys are not being rotated by AWS", 331 | "impact": "That data is being encrypted with a key which is valid for a longer period of time, resulting in a greater exposure window should that key be leaked", 332 | "remediation": { 333 | "cloudformation": "Set `Properties.EnableKeyRotation` attribute to `true`", 334 | "terraform": "Set `enable_key_rotation` attribute to `true`" 335 | }, 336 | "resolve": "Set `enable_key_rotation` attribute to `true`" 337 | }, 338 | "lineNumber": 1, 339 | "path": [ 340 | "input", 341 | "resource", 342 | "aws_kms_key[a]", 343 | "enable_key_rotation" 344 | ] 345 | } 346 | ] 347 | }, 348 | { 349 | "meta": { 350 | "isPrivate": true, 351 | "isLicensesEnabled": false, 352 | "policy": "", 353 | "ignoreSettings": null, 354 | "projectId": "", 355 | "org": "playground" 356 | }, 357 | "filesystemPolicy": false, 358 | "vulnerabilities": [], 359 | "dependencyCount": 0, 360 | "licensesPolicy": null, 361 | "ignoreSettings": null, 362 | "targetFile": "main.tf", 363 | "projectName": "storage", 364 | "org": "playground", 365 | "policy": "", 366 | "isPrivate": true, 367 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/modules/storage/main.tf", 368 | "packageManager": "terraformconfig", 369 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 370 | "projectType": "terraformconfig", 371 | "ok": false, 372 | "infrastructureAsCodeIssues": [ 373 | { 374 | "id": "SNYK-CC-TF-45", 375 | "title": "S3 server access logging is disabled", 376 | "type": "aws", 377 | "subType": "S3", 378 | "severity": "low", 379 | "isIgnored": false, 380 | "iacDescription": { 381 | "issue": "The s3 access logs will not be collected", 382 | "impact": "There will be no audit trail of access to s3 objects", 383 | "remediation": { 384 | "cloudformation": "Set `Properties.LoggingConfiguration` attribute", 385 | "terraform": "Add `logging` block attribute" 386 | }, 387 | "resolve": "Add `logging` block attribute" 388 | }, 389 | "lineNumber": 1, 390 | "path": [ 391 | "input", 392 | "resource", 393 | "aws_s3_bucket[insecure-bucket]", 394 | "logging" 395 | ] 396 | }, 397 | { 398 | "id": "SNYK-CC-TF-4", 399 | "title": "Non-encrypted S3 Bucket", 400 | "type": "aws", 401 | "subType": "S3", 402 | "severity": "medium", 403 | "isIgnored": false, 404 | "iacDescription": { 405 | "issue": "That by default S3 buckets do not encrypt the objects that are stored.", 406 | "impact": "That should someone gain unauthorized access to the data they would be able to read the contents.", 407 | "remediation": { 408 | "cloudformation": "Set `BucketEncryption` attribute", 409 | "terraform": "Set `server_side_encryption_configuration` block attribute" 410 | }, 411 | "resolve": "Set `server_side_encryption_configuration` block attribute" 412 | }, 413 | "lineNumber": 1, 414 | "path": [ 415 | "input", 416 | "resource", 417 | "aws_s3_bucket[insecure-bucket]" 418 | ] 419 | }, 420 | { 421 | "id": "SNYK-CC-TF-3", 422 | "title": "Non-encrypted EBS volume", 423 | "type": "aws", 424 | "subType": "EC2", 425 | "severity": "medium", 426 | "isIgnored": false, 427 | "iacDescription": { 428 | "issue": "That this EBS volume is not encrypted. The default behavior is for EBS volumes to be encrypted. ", 429 | "impact": "That should someone gain unauthorized access to the data they would be able to read the contents. ", 430 | "remediation": { 431 | "cloudformation": "Set `Properties.Encrypted` attribute to `true`", 432 | "terraform": "Set `encrypted` attribute to `true`" 433 | }, 434 | "resolve": "Set `encrypted` attribute to `true`" 435 | }, 436 | "lineNumber": 8, 437 | "path": [ 438 | "input", 439 | "resource", 440 | "aws_ebs_volume[example]", 441 | "encrypted" 442 | ] 443 | }, 444 | { 445 | "id": "SNYK-CC-TF-127", 446 | "title": "S3 bucket MFA delete control disabled", 447 | "type": "aws", 448 | "subType": "S3", 449 | "severity": "low", 450 | "isIgnored": false, 451 | "iacDescription": { 452 | "issue": "S3 bucket will not enforce MFA login on delete requests", 453 | "impact": "Object could be deleted without stronger MFA authorization", 454 | "remediation": null, 455 | "resolve": "Set `versioning.mfa_delete` attribute to `true`" 456 | }, 457 | "lineNumber": 1, 458 | "path": [ 459 | "resource", 460 | "aws_s3_bucket[insecure-bucket]", 461 | "versioning", 462 | "mfa_delete" 463 | ] 464 | }, 465 | { 466 | "id": "SNYK-CC-TF-124", 467 | "title": "S3 bucket versioning disabled", 468 | "type": "aws", 469 | "subType": "S3", 470 | "severity": "low", 471 | "isIgnored": false, 472 | "iacDescription": { 473 | "issue": "S3 bucket versioning is disabled", 474 | "impact": "Changes or deletion of objects will not be reversible", 475 | "remediation": { 476 | "cloudformation": "Set `Properties.VersioningConfiguration.Status` attribute to `Enabled`", 477 | "terraform": "Set `versioning.enabled` attribute to `true`" 478 | }, 479 | "resolve": "Set `versioning.enabled` attribute to `true`" 480 | }, 481 | "lineNumber": 1, 482 | "path": [ 483 | "resource", 484 | "aws_s3_bucket[insecure-bucket]", 485 | "versioning", 486 | "enabled" 487 | ] 488 | } 489 | ] 490 | }, 491 | { 492 | "meta": { 493 | "isPrivate": true, 494 | "isLicensesEnabled": false, 495 | "policy": "", 496 | "ignoreSettings": null, 497 | "projectId": "", 498 | "org": "playground" 499 | }, 500 | "filesystemPolicy": false, 501 | "vulnerabilities": [], 502 | "dependencyCount": 0, 503 | "licensesPolicy": null, 504 | "ignoreSettings": null, 505 | "targetFile": "main.tf", 506 | "projectName": "vpc", 507 | "org": "playground", 508 | "policy": "", 509 | "isPrivate": true, 510 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/modules/vpc/main.tf", 511 | "packageManager": "terraformconfig", 512 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 513 | "projectType": "terraformconfig", 514 | "ok": false, 515 | "infrastructureAsCodeIssues": [ 516 | { 517 | "id": "SNYK-CC-TF-1", 518 | "title": "Security Group allows open ingress", 519 | "type": "aws", 520 | "subType": "VPC", 521 | "severity": "medium", 522 | "isIgnored": false, 523 | "iacDescription": { 524 | "issue": "That inbound traffic is allowed to a resource from any source instead of a restricted range", 525 | "impact": "That potentially everyone can access your resource", 526 | "remediation": { 527 | "cloudformation": "Set `Properties.SecurityGroupIngress.CidrIp` attribute with a more restrictive IP, for example `192.16.0.0/24`", 528 | "terraform": "Set `cidr_block` attribute with a more restrictive IP, for example `192.16.0.0/24`" 529 | }, 530 | "resolve": "Set `cidr_block` attribute with a more restrictive IP, for example `192.16.0.0/24`" 531 | }, 532 | "lineNumber": 21, 533 | "path": [ 534 | "input", 535 | "resource", 536 | "aws_security_group[allow_ssh]", 537 | "ingress" 538 | ] 539 | } 540 | ] 541 | }, 542 | { 543 | "meta": { 544 | "isPrivate": true, 545 | "isLicensesEnabled": false, 546 | "policy": "", 547 | "ignoreSettings": null, 548 | "projectId": "", 549 | "org": "playground" 550 | }, 551 | "filesystemPolicy": false, 552 | "vulnerabilities": [], 553 | "dependencyCount": 0, 554 | "licensesPolicy": null, 555 | "ignoreSettings": null, 556 | "targetFile": "outputs.tf", 557 | "projectName": "vpc", 558 | "org": "playground", 559 | "policy": "", 560 | "isPrivate": true, 561 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/modules/vpc/outputs.tf", 562 | "packageManager": "terraformconfig", 563 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 564 | "projectType": "terraformconfig", 565 | "ok": true, 566 | "infrastructureAsCodeIssues": [] 567 | }, 568 | { 569 | "meta": { 570 | "isPrivate": true, 571 | "isLicensesEnabled": false, 572 | "policy": "", 573 | "ignoreSettings": null, 574 | "projectId": "", 575 | "org": "playground" 576 | }, 577 | "filesystemPolicy": false, 578 | "vulnerabilities": [], 579 | "dependencyCount": 0, 580 | "licensesPolicy": null, 581 | "ignoreSettings": null, 582 | "targetFile": "variables.tf", 583 | "projectName": "vpc", 584 | "org": "playground", 585 | "policy": "", 586 | "isPrivate": true, 587 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/modules/vpc/variables.tf", 588 | "packageManager": "terraformconfig", 589 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 590 | "projectType": "terraformconfig", 591 | "ok": true, 592 | "infrastructureAsCodeIssues": [] 593 | }, 594 | { 595 | "meta": { 596 | "isPrivate": true, 597 | "isLicensesEnabled": false, 598 | "policy": "", 599 | "ignoreSettings": null, 600 | "projectId": "", 601 | "org": "playground" 602 | }, 603 | "filesystemPolicy": false, 604 | "vulnerabilities": [], 605 | "dependencyCount": 0, 606 | "licensesPolicy": null, 607 | "ignoreSettings": null, 608 | "targetFile": "variables.tf", 609 | "projectName": "snyk-iac-terraform-demo", 610 | "org": "playground", 611 | "policy": "", 612 | "isPrivate": true, 613 | "targetFilePath": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo/variables.tf", 614 | "packageManager": "terraformconfig", 615 | "path": "/home/antoine/Documents/SnykSB/snyk-iac-terraform-demo", 616 | "projectType": "terraformconfig", 617 | "ok": true, 618 | "infrastructureAsCodeIssues": [] 619 | } 620 | ] 621 | -------------------------------------------------------------------------------- /sample-data/snyk-sample-results.json: -------------------------------------------------------------------------------- 1 | { 2 | "ok": false, 3 | "vulnerabilities": [ 4 | { 5 | "title": "Uninitialized Memory Exposure", 6 | "credit": [ 7 | "Feross Aboukhadijeh" 8 | ], 9 | "moduleName": "bl", 10 | "language": "js", 11 | "packageManager": "npm", 12 | "id": "npm:bl:20160119", 13 | "packageName": "bl", 14 | "description": "## Overview\n[bl](https://www.npmjs.com/package/bl) is a storage object for collections of Node Buffers.\n\nA possible memory disclosure vulnerability exists when a value of type `number` is provided to the `append()` method and results in concatenation of uninitialized memory to the buffer collection.\n\nThis is a result of unobstructed use of the `Buffer` constructor, whose [insecure default constructor increases the odds of memory leakage](https://snyk.io/blog/exploiting-buffer/).\n\n## Details\nConstructing a `Buffer` class with integer `N` creates a `Buffer` of length `N` with raw (not \"zero-ed\") memory.\n\nIn the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string \"100\":\n```js\n// uninitialized Buffer of length 100\nx = new Buffer(100);\n// initialized Buffer with value of '100'\nx = new Buffer('100');\n```\n\n`bl`'s `append` function uses the default `Buffer` constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous [`Heartbleed`](http://heartbleed.com/) flaw in OpenSSL.\n\n```js\nconst BufferList = require('bl')\n\nvar bl = new BufferList()\nbl.append(new Buffer('abcd'))\nbl.append(new Buffer('efg'))\nbl.append('100')\n// appends a Buffer holding 100 bytes of uninitialized memory\nbl.append(100) \nbl.append(new Buffer('j'))\n```\n\nYou can read more about the insecure `Buffer` behavior [on our blog](https://snyk.io/blog/exploiting-buffer/).\n\nSimilar vulnerabilities were discovered in [request](https://snyk.io/vuln/npm:request:20160119), [mongoose](https://snyk.io/vuln/npm:mongoose:20160116), [ws](https://snyk.io/vuln/npm:ws:20160104) and [sequelize](https://snyk.io/vuln/npm:sequelize:20160115).\n\n## References\n- https://github.com/rvagg/bl/pull/22\n- https://github.com/rvagg/bl/compare/v1.0.0...v1.0.1\n- https://snyk.io/blog/exploiting-buffer/\n", 15 | "semver": { 16 | "vulnerable": "<0.9.5 || 1.0.0", 17 | "unaffected": ">1.0.0 || 0.9.5" 18 | }, 19 | "identifiers": { 20 | "CWE": [ 21 | "CWE-201" 22 | ], 23 | "CVE": [], 24 | "ALTERNATIVE": [ 25 | "SNYK-JS-BL-10138" 26 | ] 27 | }, 28 | "patches": [ 29 | { 30 | "urls": [ 31 | "https://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/master/patches/npm/bl/20160119/bl_20160911_0_0_061279d92f45f4e04f3cb252db3816feb4bc6f33.patch" 32 | ], 33 | "version": "0.9.4 || 1.0.0", 34 | "modificationTime": "2016-09-11T00:00:00.000Z", 35 | "comments": [], 36 | "id": "patch:npm:bl:20160119:0" 37 | } 38 | ], 39 | "cvssScore": 5.1, 40 | "severity": "medium", 41 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 42 | "creationTime": "2016-09-11T17:00:00.000Z", 43 | "modificationTime": "2016-09-11T17:00:00.000Z", 44 | "publicationTime": "2016-09-18T17:00:00.000Z", 45 | "disclosureTime": "2016-01-19T18:58:00.000Z", 46 | "alternativeIds": [ 47 | "SNYK-JS-BL-10138" 48 | ], 49 | "from": [ 50 | "medium-sev-project@1.0.0", 51 | "mosca@2.7.0", 52 | "level-sublevel@6.6.1", 53 | "levelup@0.19.1", 54 | "bl@0.8.2" 55 | ], 56 | "upgradePath": [ 57 | false, 58 | false, 59 | false, 60 | "levelup@1.0.0" 61 | ], 62 | "version": "0.8.2", 63 | "name": "bl", 64 | "isUpgradable": false, 65 | "isPatchable": false, 66 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/level-sublevel/node_modules/bl/package.json", 67 | "parentDepType": "prod" 68 | }, 69 | { 70 | "title": "Regular Expression Denial of Service (ReDoS)", 71 | "credit": [ 72 | "Jamie Davis" 73 | ], 74 | "moduleName": "bson", 75 | "packageName": "bson", 76 | "language": "js", 77 | "packageManager": "npm", 78 | "description": "## Overview\n[`bson`](https://www.npmjs.com/package/bson) is a bson parser for node.js and the browser\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 50K characters long.\n\n## Disclosure Timeline\n* Feb 15th, 2018 - Initial Disclosure to package owner\n* Feb 26th, 2018 - Initial Response from package owner\n* Feb 26th, 2018 - Fix issued\n* Feb 27th, 2018 - Vulnerability published\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `bson` to version 1.0.5 or higher\n\n## References\n- [GitHub Commit](https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a)", 79 | "semver": { 80 | "vulnerable": "<1.0.5", 81 | "unaffected": ">=1.0.5" 82 | }, 83 | "identifiers": { 84 | "CWE": [ 85 | "CWE-185", 86 | "CWE-400" 87 | ], 88 | "CVE": [], 89 | "ALTERNATIVE": [ 90 | "SNYK-JS-BSON-10988" 91 | ] 92 | }, 93 | "patches": [], 94 | "cvssScore": 3.7, 95 | "severity": "low", 96 | "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", 97 | "creationTime": "2018-02-27T13:46:53.813Z", 98 | "modificationTime": "2018-02-27T13:46:53.813Z", 99 | "publicationTime": "2018-02-27T16:32:24.910Z", 100 | "disclosureTime": "2018-02-27T13:46:53.813Z", 101 | "id": "npm:bson:20180225", 102 | "alternativeIds": [ 103 | "SNYK-JS-BSON-10988" 104 | ], 105 | "from": [ 106 | "medium-sev-project@1.0.0", 107 | "mosca@2.7.0", 108 | "mongodb@2.1.21", 109 | "mongodb-core@1.3.21", 110 | "bson@0.4.23" 111 | ], 112 | "upgradePath": [ 113 | false, 114 | false, 115 | "mongodb@2.2.13", 116 | "mongodb-core@2.1.0", 117 | "bson@1.0.5" 118 | ], 119 | "version": "0.4.23", 120 | "name": "bson", 121 | "isUpgradable": false, 122 | "isPatchable": false, 123 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/bson/package.json", 124 | "parentDepType": "prod" 125 | }, 126 | { 127 | "title": "Regular Expression Denial of Service (ReDoS)", 128 | "credit": [ 129 | "Jamie Davis" 130 | ], 131 | "moduleName": "bson", 132 | "packageName": "bson", 133 | "language": "js", 134 | "packageManager": "npm", 135 | "description": "## Overview\n[`bson`](https://www.npmjs.com/package/bson) is a bson parser for node.js and the browser\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 50K characters long.\n\n## Disclosure Timeline\n* Feb 15th, 2018 - Initial Disclosure to package owner\n* Feb 26th, 2018 - Initial Response from package owner\n* Feb 26th, 2018 - Fix issued\n* Feb 27th, 2018 - Vulnerability published\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `bson` to version 1.0.5 or higher\n\n## References\n- [GitHub Commit](https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a)", 136 | "semver": { 137 | "vulnerable": "<1.0.5", 138 | "unaffected": ">=1.0.5" 139 | }, 140 | "identifiers": { 141 | "CWE": [ 142 | "CWE-185", 143 | "CWE-400" 144 | ], 145 | "CVE": [], 146 | "ALTERNATIVE": [ 147 | "SNYK-JS-BSON-10988" 148 | ] 149 | }, 150 | "patches": [], 151 | "cvssScore": 3.7, 152 | "severity": "low", 153 | "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", 154 | "creationTime": "2018-02-27T13:46:53.813Z", 155 | "modificationTime": "2018-02-27T13:46:53.813Z", 156 | "publicationTime": "2018-02-27T16:32:24.910Z", 157 | "disclosureTime": "2018-02-27T13:46:53.813Z", 158 | "id": "npm:bson:20180225", 159 | "alternativeIds": [ 160 | "SNYK-JS-BSON-10988" 161 | ], 162 | "from": [ 163 | "medium-sev-project@1.0.0", 164 | "mosca@2.7.0", 165 | "ascoltatori@3.2.0", 166 | "mongodb@2.1.21", 167 | "mongodb-core@1.3.21", 168 | "bson@0.4.23" 169 | ], 170 | "upgradePath": [ 171 | false, 172 | "mosca@2.7.0", 173 | "ascoltatori@3.2.0", 174 | "mongodb@2.2.13", 175 | "mongodb-core@2.1.0", 176 | "bson@1.0.5" 177 | ], 178 | "version": "0.4.23", 179 | "name": "bson", 180 | "isUpgradable": true, 181 | "isPatchable": false, 182 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/bson/package.json", 183 | "parentDepType": "prod" 184 | }, 185 | { 186 | "title": "Prototype Pollution", 187 | "credit": [ 188 | "Olivier Arteau (HoLyVieR)" 189 | ], 190 | "moduleName": "hoek", 191 | "packageName": "hoek", 192 | "language": "js", 193 | "packageManager": "npm", 194 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 195 | "identifiers": { 196 | "ALTERNATIVE": [ 197 | "SNYK-JS-HOEK-12061" 198 | ], 199 | "CVE": [ 200 | "CVE-2018-3728" 201 | ], 202 | "CWE": [ 203 | "CWE-400" 204 | ], 205 | "NSP": 566 206 | }, 207 | "semver": { 208 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 209 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 210 | }, 211 | "severity": "low", 212 | "cvssScore": 1.8, 213 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 214 | "patches": [], 215 | "creationTime": "2018-02-12T22:28:27.612Z", 216 | "modificationTime": "2018-02-13T22:28:27.612Z", 217 | "publicationTime": "2018-02-14T13:22:50.418Z", 218 | "disclosureTime": "2018-02-12T22:28:27.612Z", 219 | "id": "npm:hoek:20180212", 220 | "alternativeIds": [ 221 | "SNYK-JS-HOEK-12061" 222 | ], 223 | "from": [ 224 | "medium-sev-project@1.0.0", 225 | "mosca@2.7.0", 226 | "ascoltatori@3.2.0", 227 | "kafka-node@0.5.9", 228 | "snappy@5.0.5", 229 | "node-gyp@3.4.0", 230 | "request@2.83.0", 231 | "hawk@6.0.2", 232 | "hoek@4.2.0" 233 | ], 234 | "upgradePath": [ 235 | false, 236 | "mosca@2.7.0", 237 | "ascoltatori@3.2.0", 238 | "kafka-node@0.5.9", 239 | "snappy@5.0.5", 240 | "node-gyp@3.4.0", 241 | "request@2.83.0", 242 | "hawk@6.0.2", 243 | "hoek@4.2.1" 244 | ], 245 | "version": "4.2.0", 246 | "name": "hoek", 247 | "isUpgradable": true, 248 | "isPatchable": false, 249 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 250 | "parentDepType": "prod" 251 | }, 252 | { 253 | "title": "Prototype Pollution", 254 | "credit": [ 255 | "Olivier Arteau (HoLyVieR)" 256 | ], 257 | "moduleName": "hoek", 258 | "packageName": "hoek", 259 | "language": "js", 260 | "packageManager": "npm", 261 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 262 | "identifiers": { 263 | "ALTERNATIVE": [ 264 | "SNYK-JS-HOEK-12061" 265 | ], 266 | "CVE": [ 267 | "CVE-2018-3728" 268 | ], 269 | "CWE": [ 270 | "CWE-400" 271 | ], 272 | "NSP": 566 273 | }, 274 | "semver": { 275 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 276 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 277 | }, 278 | "severity": "low", 279 | "cvssScore": 1.8, 280 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 281 | "patches": [], 282 | "creationTime": "2018-02-12T22:28:27.612Z", 283 | "modificationTime": "2018-02-13T22:28:27.612Z", 284 | "publicationTime": "2018-02-14T13:22:50.418Z", 285 | "disclosureTime": "2018-02-12T22:28:27.612Z", 286 | "id": "npm:hoek:20180212", 287 | "alternativeIds": [ 288 | "SNYK-JS-HOEK-12061" 289 | ], 290 | "from": [ 291 | "medium-sev-project@1.0.0", 292 | "mosca@2.7.0", 293 | "ascoltatori@3.2.0", 294 | "kafka-node@0.5.9", 295 | "snappy@5.0.5", 296 | "node-gyp@3.4.0", 297 | "request@2.83.0", 298 | "hawk@6.0.2", 299 | "boom@4.3.1", 300 | "hoek@4.2.0" 301 | ], 302 | "upgradePath": [ 303 | false, 304 | "mosca@2.7.0", 305 | "ascoltatori@3.2.0", 306 | "kafka-node@0.5.9", 307 | "snappy@5.0.5", 308 | "node-gyp@3.4.0", 309 | "request@2.83.0", 310 | "hawk@6.0.2", 311 | "boom@4.3.1", 312 | "hoek@4.2.1" 313 | ], 314 | "version": "4.2.0", 315 | "name": "hoek", 316 | "isUpgradable": true, 317 | "isPatchable": false, 318 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 319 | "parentDepType": "prod" 320 | }, 321 | { 322 | "title": "Prototype Pollution", 323 | "credit": [ 324 | "Olivier Arteau (HoLyVieR)" 325 | ], 326 | "moduleName": "hoek", 327 | "packageName": "hoek", 328 | "language": "js", 329 | "packageManager": "npm", 330 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 331 | "identifiers": { 332 | "ALTERNATIVE": [ 333 | "SNYK-JS-HOEK-12061" 334 | ], 335 | "CVE": [ 336 | "CVE-2018-3728" 337 | ], 338 | "CWE": [ 339 | "CWE-400" 340 | ], 341 | "NSP": 566 342 | }, 343 | "semver": { 344 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 345 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 346 | }, 347 | "severity": "low", 348 | "cvssScore": 1.8, 349 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 350 | "patches": [], 351 | "creationTime": "2018-02-12T22:28:27.612Z", 352 | "modificationTime": "2018-02-13T22:28:27.612Z", 353 | "publicationTime": "2018-02-14T13:22:50.418Z", 354 | "disclosureTime": "2018-02-12T22:28:27.612Z", 355 | "id": "npm:hoek:20180212", 356 | "alternativeIds": [ 357 | "SNYK-JS-HOEK-12061" 358 | ], 359 | "from": [ 360 | "medium-sev-project@1.0.0", 361 | "mosca@2.7.0", 362 | "ascoltatori@3.2.0", 363 | "kafka-node@0.5.9", 364 | "snappy@5.0.5", 365 | "node-gyp@3.4.0", 366 | "request@2.83.0", 367 | "hawk@6.0.2", 368 | "sntp@2.1.0", 369 | "hoek@4.2.0" 370 | ], 371 | "upgradePath": [ 372 | false, 373 | "mosca@2.7.0", 374 | "ascoltatori@3.2.0", 375 | "kafka-node@0.5.9", 376 | "snappy@5.0.5", 377 | "node-gyp@3.4.0", 378 | "request@2.83.0", 379 | "hawk@6.0.2", 380 | "sntp@2.1.0", 381 | "hoek@4.2.1" 382 | ], 383 | "version": "4.2.0", 384 | "name": "hoek", 385 | "isUpgradable": true, 386 | "isPatchable": false, 387 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 388 | "parentDepType": "prod" 389 | }, 390 | { 391 | "title": "Prototype Pollution", 392 | "credit": [ 393 | "Olivier Arteau (HoLyVieR)" 394 | ], 395 | "moduleName": "hoek", 396 | "packageName": "hoek", 397 | "language": "js", 398 | "packageManager": "npm", 399 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 400 | "identifiers": { 401 | "ALTERNATIVE": [ 402 | "SNYK-JS-HOEK-12061" 403 | ], 404 | "CVE": [ 405 | "CVE-2018-3728" 406 | ], 407 | "CWE": [ 408 | "CWE-400" 409 | ], 410 | "NSP": 566 411 | }, 412 | "semver": { 413 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 414 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 415 | }, 416 | "severity": "low", 417 | "cvssScore": 1.8, 418 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 419 | "patches": [], 420 | "creationTime": "2018-02-12T22:28:27.612Z", 421 | "modificationTime": "2018-02-13T22:28:27.612Z", 422 | "publicationTime": "2018-02-14T13:22:50.418Z", 423 | "disclosureTime": "2018-02-12T22:28:27.612Z", 424 | "id": "npm:hoek:20180212", 425 | "alternativeIds": [ 426 | "SNYK-JS-HOEK-12061" 427 | ], 428 | "from": [ 429 | "medium-sev-project@1.0.0", 430 | "mosca@2.7.0", 431 | "ascoltatori@3.2.0", 432 | "kafka-node@0.5.9", 433 | "snappy@5.0.5", 434 | "node-gyp@3.4.0", 435 | "request@2.83.0", 436 | "hawk@6.0.2", 437 | "cryptiles@3.1.2", 438 | "boom@5.2.0", 439 | "hoek@4.2.0" 440 | ], 441 | "upgradePath": [ 442 | false, 443 | "mosca@2.7.0", 444 | "ascoltatori@3.2.0", 445 | "kafka-node@0.5.9", 446 | "snappy@5.0.5", 447 | "node-gyp@3.4.0", 448 | "request@2.83.0", 449 | "hawk@6.0.2", 450 | "cryptiles@3.1.2", 451 | "boom@5.2.0", 452 | "hoek@4.2.1" 453 | ], 454 | "version": "4.2.0", 455 | "name": "hoek", 456 | "isUpgradable": true, 457 | "isPatchable": false, 458 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 459 | "parentDepType": "prod" 460 | }, 461 | { 462 | "title": "Prototype Pollution", 463 | "credit": [ 464 | "Olivier Arteau (HoLyVieR)" 465 | ], 466 | "moduleName": "hoek", 467 | "packageName": "hoek", 468 | "language": "js", 469 | "packageManager": "npm", 470 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 471 | "identifiers": { 472 | "ALTERNATIVE": [ 473 | "SNYK-JS-HOEK-12061" 474 | ], 475 | "CVE": [ 476 | "CVE-2018-3728" 477 | ], 478 | "CWE": [ 479 | "CWE-400" 480 | ], 481 | "NSP": 566 482 | }, 483 | "semver": { 484 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 485 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 486 | }, 487 | "severity": "low", 488 | "cvssScore": 1.8, 489 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 490 | "patches": [], 491 | "creationTime": "2018-02-12T22:28:27.612Z", 492 | "modificationTime": "2018-02-13T22:28:27.612Z", 493 | "publicationTime": "2018-02-14T13:22:50.418Z", 494 | "disclosureTime": "2018-02-12T22:28:27.612Z", 495 | "id": "npm:hoek:20180212", 496 | "alternativeIds": [ 497 | "SNYK-JS-HOEK-12061" 498 | ], 499 | "from": [ 500 | "medium-sev-project@1.0.0", 501 | "mosca@2.7.0", 502 | "leveldown@1.4.6", 503 | "prebuild@4.5.0", 504 | "node-gyp@3.4.0", 505 | "request@2.83.0", 506 | "hawk@6.0.2", 507 | "hoek@4.2.0" 508 | ], 509 | "upgradePath": [ 510 | false, 511 | "mosca@2.7.0", 512 | "leveldown@1.4.6", 513 | "prebuild@4.5.0", 514 | "node-gyp@3.4.0", 515 | "request@2.83.0", 516 | "hawk@6.0.2", 517 | "hoek@4.2.1" 518 | ], 519 | "version": "4.2.0", 520 | "name": "hoek", 521 | "isUpgradable": true, 522 | "isPatchable": false, 523 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 524 | "parentDepType": "prod" 525 | }, 526 | { 527 | "title": "Prototype Pollution", 528 | "credit": [ 529 | "Olivier Arteau (HoLyVieR)" 530 | ], 531 | "moduleName": "hoek", 532 | "packageName": "hoek", 533 | "language": "js", 534 | "packageManager": "npm", 535 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 536 | "identifiers": { 537 | "ALTERNATIVE": [ 538 | "SNYK-JS-HOEK-12061" 539 | ], 540 | "CVE": [ 541 | "CVE-2018-3728" 542 | ], 543 | "CWE": [ 544 | "CWE-400" 545 | ], 546 | "NSP": 566 547 | }, 548 | "semver": { 549 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 550 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 551 | }, 552 | "severity": "low", 553 | "cvssScore": 1.8, 554 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 555 | "patches": [], 556 | "creationTime": "2018-02-12T22:28:27.612Z", 557 | "modificationTime": "2018-02-13T22:28:27.612Z", 558 | "publicationTime": "2018-02-14T13:22:50.418Z", 559 | "disclosureTime": "2018-02-12T22:28:27.612Z", 560 | "id": "npm:hoek:20180212", 561 | "alternativeIds": [ 562 | "SNYK-JS-HOEK-12061" 563 | ], 564 | "from": [ 565 | "medium-sev-project@1.0.0", 566 | "mosca@2.7.0", 567 | "leveldown@1.4.6", 568 | "prebuild@4.5.0", 569 | "node-gyp@3.4.0", 570 | "request@2.83.0", 571 | "hawk@6.0.2", 572 | "boom@4.3.1", 573 | "hoek@4.2.0" 574 | ], 575 | "upgradePath": [ 576 | false, 577 | "mosca@2.7.0", 578 | "leveldown@1.4.6", 579 | "prebuild@4.5.0", 580 | "node-gyp@3.4.0", 581 | "request@2.83.0", 582 | "hawk@6.0.2", 583 | "boom@4.3.1", 584 | "hoek@4.2.1" 585 | ], 586 | "version": "4.2.0", 587 | "name": "hoek", 588 | "isUpgradable": true, 589 | "isPatchable": false, 590 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 591 | "parentDepType": "prod" 592 | }, 593 | { 594 | "title": "Prototype Pollution", 595 | "credit": [ 596 | "Olivier Arteau (HoLyVieR)" 597 | ], 598 | "moduleName": "hoek", 599 | "packageName": "hoek", 600 | "language": "js", 601 | "packageManager": "npm", 602 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 603 | "identifiers": { 604 | "ALTERNATIVE": [ 605 | "SNYK-JS-HOEK-12061" 606 | ], 607 | "CVE": [ 608 | "CVE-2018-3728" 609 | ], 610 | "CWE": [ 611 | "CWE-400" 612 | ], 613 | "NSP": 566 614 | }, 615 | "semver": { 616 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 617 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 618 | }, 619 | "severity": "low", 620 | "cvssScore": 1.8, 621 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 622 | "patches": [], 623 | "creationTime": "2018-02-12T22:28:27.612Z", 624 | "modificationTime": "2018-02-13T22:28:27.612Z", 625 | "publicationTime": "2018-02-14T13:22:50.418Z", 626 | "disclosureTime": "2018-02-12T22:28:27.612Z", 627 | "id": "npm:hoek:20180212", 628 | "alternativeIds": [ 629 | "SNYK-JS-HOEK-12061" 630 | ], 631 | "from": [ 632 | "medium-sev-project@1.0.0", 633 | "mosca@2.7.0", 634 | "leveldown@1.4.6", 635 | "prebuild@4.5.0", 636 | "node-gyp@3.4.0", 637 | "request@2.83.0", 638 | "hawk@6.0.2", 639 | "sntp@2.1.0", 640 | "hoek@4.2.0" 641 | ], 642 | "upgradePath": [ 643 | false, 644 | "mosca@2.7.0", 645 | "leveldown@1.4.6", 646 | "prebuild@4.5.0", 647 | "node-gyp@3.4.0", 648 | "request@2.83.0", 649 | "hawk@6.0.2", 650 | "sntp@2.1.0", 651 | "hoek@4.2.1" 652 | ], 653 | "version": "4.2.0", 654 | "name": "hoek", 655 | "isUpgradable": true, 656 | "isPatchable": false, 657 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 658 | "parentDepType": "prod" 659 | }, 660 | { 661 | "title": "Prototype Pollution", 662 | "credit": [ 663 | "Olivier Arteau (HoLyVieR)" 664 | ], 665 | "moduleName": "hoek", 666 | "packageName": "hoek", 667 | "language": "js", 668 | "packageManager": "npm", 669 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 670 | "identifiers": { 671 | "ALTERNATIVE": [ 672 | "SNYK-JS-HOEK-12061" 673 | ], 674 | "CVE": [ 675 | "CVE-2018-3728" 676 | ], 677 | "CWE": [ 678 | "CWE-400" 679 | ], 680 | "NSP": 566 681 | }, 682 | "semver": { 683 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 684 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 685 | }, 686 | "severity": "low", 687 | "cvssScore": 1.8, 688 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 689 | "patches": [], 690 | "creationTime": "2018-02-12T22:28:27.612Z", 691 | "modificationTime": "2018-02-13T22:28:27.612Z", 692 | "publicationTime": "2018-02-14T13:22:50.418Z", 693 | "disclosureTime": "2018-02-12T22:28:27.612Z", 694 | "id": "npm:hoek:20180212", 695 | "alternativeIds": [ 696 | "SNYK-JS-HOEK-12061" 697 | ], 698 | "from": [ 699 | "medium-sev-project@1.0.0", 700 | "mosca@2.7.0", 701 | "leveldown@1.4.6", 702 | "prebuild@4.5.0", 703 | "node-gyp@3.4.0", 704 | "request@2.83.0", 705 | "hawk@6.0.2", 706 | "cryptiles@3.1.2", 707 | "boom@5.2.0", 708 | "hoek@4.2.0" 709 | ], 710 | "upgradePath": [ 711 | false, 712 | "mosca@2.7.0", 713 | "leveldown@1.4.6", 714 | "prebuild@4.5.0", 715 | "node-gyp@3.4.0", 716 | "request@2.83.0", 717 | "hawk@6.0.2", 718 | "cryptiles@3.1.2", 719 | "boom@5.2.0", 720 | "hoek@4.2.1" 721 | ], 722 | "version": "4.2.0", 723 | "name": "hoek", 724 | "isUpgradable": true, 725 | "isPatchable": false, 726 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 727 | "parentDepType": "prod" 728 | }, 729 | { 730 | "title": "Prototype Pollution", 731 | "credit": [ 732 | "Olivier Arteau (HoLyVieR)" 733 | ], 734 | "moduleName": "hoek", 735 | "packageName": "hoek", 736 | "language": "js", 737 | "packageManager": "npm", 738 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 739 | "identifiers": { 740 | "ALTERNATIVE": [ 741 | "SNYK-JS-HOEK-12061" 742 | ], 743 | "CVE": [ 744 | "CVE-2018-3728" 745 | ], 746 | "CWE": [ 747 | "CWE-400" 748 | ], 749 | "NSP": 566 750 | }, 751 | "semver": { 752 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 753 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 754 | }, 755 | "severity": "low", 756 | "cvssScore": 1.8, 757 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 758 | "patches": [], 759 | "creationTime": "2018-02-12T22:28:27.612Z", 760 | "modificationTime": "2018-02-13T22:28:27.612Z", 761 | "publicationTime": "2018-02-14T13:22:50.418Z", 762 | "disclosureTime": "2018-02-12T22:28:27.612Z", 763 | "id": "npm:hoek:20180212", 764 | "alternativeIds": [ 765 | "SNYK-JS-HOEK-12061" 766 | ], 767 | "from": [ 768 | "medium-sev-project@1.0.0", 769 | "mosca@2.7.0", 770 | "leveldown@1.4.6", 771 | "prebuild@4.5.0", 772 | "node-ninja@1.0.2", 773 | "request@2.83.0", 774 | "hawk@6.0.2", 775 | "hoek@4.2.0" 776 | ], 777 | "upgradePath": [ 778 | false, 779 | "mosca@2.7.0", 780 | "leveldown@1.4.6", 781 | "prebuild@4.5.0", 782 | "node-ninja@1.0.2", 783 | "request@2.83.0", 784 | "hawk@6.0.2", 785 | "hoek@4.2.1" 786 | ], 787 | "version": "4.2.0", 788 | "name": "hoek", 789 | "isUpgradable": true, 790 | "isPatchable": false, 791 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 792 | "parentDepType": "prod" 793 | }, 794 | { 795 | "title": "Prototype Pollution", 796 | "credit": [ 797 | "Olivier Arteau (HoLyVieR)" 798 | ], 799 | "moduleName": "hoek", 800 | "packageName": "hoek", 801 | "language": "js", 802 | "packageManager": "npm", 803 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 804 | "identifiers": { 805 | "ALTERNATIVE": [ 806 | "SNYK-JS-HOEK-12061" 807 | ], 808 | "CVE": [ 809 | "CVE-2018-3728" 810 | ], 811 | "CWE": [ 812 | "CWE-400" 813 | ], 814 | "NSP": 566 815 | }, 816 | "semver": { 817 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 818 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 819 | }, 820 | "severity": "low", 821 | "cvssScore": 1.8, 822 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 823 | "patches": [], 824 | "creationTime": "2018-02-12T22:28:27.612Z", 825 | "modificationTime": "2018-02-13T22:28:27.612Z", 826 | "publicationTime": "2018-02-14T13:22:50.418Z", 827 | "disclosureTime": "2018-02-12T22:28:27.612Z", 828 | "id": "npm:hoek:20180212", 829 | "alternativeIds": [ 830 | "SNYK-JS-HOEK-12061" 831 | ], 832 | "from": [ 833 | "medium-sev-project@1.0.0", 834 | "mosca@2.7.0", 835 | "leveldown@1.4.6", 836 | "prebuild@4.5.0", 837 | "node-ninja@1.0.2", 838 | "request@2.83.0", 839 | "hawk@6.0.2", 840 | "boom@4.3.1", 841 | "hoek@4.2.0" 842 | ], 843 | "upgradePath": [ 844 | false, 845 | "mosca@2.7.0", 846 | "leveldown@1.4.6", 847 | "prebuild@4.5.0", 848 | "node-ninja@1.0.2", 849 | "request@2.83.0", 850 | "hawk@6.0.2", 851 | "boom@4.3.1", 852 | "hoek@4.2.1" 853 | ], 854 | "version": "4.2.0", 855 | "name": "hoek", 856 | "isUpgradable": true, 857 | "isPatchable": false, 858 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 859 | "parentDepType": "prod" 860 | }, 861 | { 862 | "title": "Prototype Pollution", 863 | "credit": [ 864 | "Olivier Arteau (HoLyVieR)" 865 | ], 866 | "moduleName": "hoek", 867 | "packageName": "hoek", 868 | "language": "js", 869 | "packageManager": "npm", 870 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 871 | "identifiers": { 872 | "ALTERNATIVE": [ 873 | "SNYK-JS-HOEK-12061" 874 | ], 875 | "CVE": [ 876 | "CVE-2018-3728" 877 | ], 878 | "CWE": [ 879 | "CWE-400" 880 | ], 881 | "NSP": 566 882 | }, 883 | "semver": { 884 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 885 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 886 | }, 887 | "severity": "low", 888 | "cvssScore": 1.8, 889 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 890 | "patches": [], 891 | "creationTime": "2018-02-12T22:28:27.612Z", 892 | "modificationTime": "2018-02-13T22:28:27.612Z", 893 | "publicationTime": "2018-02-14T13:22:50.418Z", 894 | "disclosureTime": "2018-02-12T22:28:27.612Z", 895 | "id": "npm:hoek:20180212", 896 | "alternativeIds": [ 897 | "SNYK-JS-HOEK-12061" 898 | ], 899 | "from": [ 900 | "medium-sev-project@1.0.0", 901 | "mosca@2.7.0", 902 | "leveldown@1.4.6", 903 | "prebuild@4.5.0", 904 | "node-ninja@1.0.2", 905 | "request@2.83.0", 906 | "hawk@6.0.2", 907 | "sntp@2.1.0", 908 | "hoek@4.2.0" 909 | ], 910 | "upgradePath": [ 911 | false, 912 | "mosca@2.7.0", 913 | "leveldown@1.4.6", 914 | "prebuild@4.5.0", 915 | "node-ninja@1.0.2", 916 | "request@2.83.0", 917 | "hawk@6.0.2", 918 | "sntp@2.1.0", 919 | "hoek@4.2.1" 920 | ], 921 | "version": "4.2.0", 922 | "name": "hoek", 923 | "isUpgradable": true, 924 | "isPatchable": false, 925 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 926 | "parentDepType": "prod" 927 | }, 928 | { 929 | "title": "Prototype Pollution", 930 | "credit": [ 931 | "Olivier Arteau (HoLyVieR)" 932 | ], 933 | "moduleName": "hoek", 934 | "packageName": "hoek", 935 | "language": "js", 936 | "packageManager": "npm", 937 | "description": "## Overview\n[hoek](https://github.com/hapijs/hoek) is a Utility methods for the hapi ecosystem.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n\n```\n\n## Remediation\nUpgrade `hoek` to versions 4.2.1, 5.0.3 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310439)\n- [GitHub Issue - 4.2.1 Backport](https://github.com/hapijs/hoek/issues/230)", 938 | "identifiers": { 939 | "ALTERNATIVE": [ 940 | "SNYK-JS-HOEK-12061" 941 | ], 942 | "CVE": [ 943 | "CVE-2018-3728" 944 | ], 945 | "CWE": [ 946 | "CWE-400" 947 | ], 948 | "NSP": 566 949 | }, 950 | "semver": { 951 | "unaffected": ">=4.2.1 <5.0.0 || >=5.0.3", 952 | "vulnerable": "<4.2.1 || >=5.0.0 <5.0.3" 953 | }, 954 | "severity": "low", 955 | "cvssScore": 1.8, 956 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 957 | "patches": [], 958 | "creationTime": "2018-02-12T22:28:27.612Z", 959 | "modificationTime": "2018-02-13T22:28:27.612Z", 960 | "publicationTime": "2018-02-14T13:22:50.418Z", 961 | "disclosureTime": "2018-02-12T22:28:27.612Z", 962 | "id": "npm:hoek:20180212", 963 | "alternativeIds": [ 964 | "SNYK-JS-HOEK-12061" 965 | ], 966 | "from": [ 967 | "medium-sev-project@1.0.0", 968 | "mosca@2.7.0", 969 | "leveldown@1.4.6", 970 | "prebuild@4.5.0", 971 | "node-ninja@1.0.2", 972 | "request@2.83.0", 973 | "hawk@6.0.2", 974 | "cryptiles@3.1.2", 975 | "boom@5.2.0", 976 | "hoek@4.2.0" 977 | ], 978 | "upgradePath": [ 979 | false, 980 | "mosca@2.7.0", 981 | "leveldown@1.4.6", 982 | "prebuild@4.5.0", 983 | "node-ninja@1.0.2", 984 | "request@2.83.0", 985 | "hawk@6.0.2", 986 | "cryptiles@3.1.2", 987 | "boom@5.2.0", 988 | "hoek@4.2.1" 989 | ], 990 | "version": "4.2.0", 991 | "name": "hoek", 992 | "isUpgradable": true, 993 | "isPatchable": false, 994 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/hoek/package.json", 995 | "parentDepType": "prod" 996 | }, 997 | { 998 | "title": "Prototype Pollution", 999 | "credit": [ 1000 | "Olivier Arteau (HoLyVieR)" 1001 | ], 1002 | "moduleName": "lodash", 1003 | "packageName": "lodash", 1004 | "language": "js", 1005 | "packageManager": "npm", 1006 | "description": "## Overview\n[lodash](https://lodash.com/) is a javaScript utility library delivering modularity, performance & extras.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar _= require('lodash');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\n_.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\n## Remediation\nUpgrade `lodash` to version 4.17.5 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310443)\n", 1007 | "identifiers": { 1008 | "ALTERNATIVE": [ 1009 | "SNYK-JS-LODASH-12060" 1010 | ], 1011 | "CVE": [ 1012 | "CVE-2018-3721" 1013 | ], 1014 | "CWE": [ 1015 | "CWE-400" 1016 | ] 1017 | }, 1018 | "semver": { 1019 | "unaffected": ">=4.17.5", 1020 | "vulnerable": "<4.17.5" 1021 | }, 1022 | "severity": "low", 1023 | "cvssScore": 1.8, 1024 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 1025 | "patches": [], 1026 | "creationTime": "2018-02-12T22:28:27.654Z", 1027 | "modificationTime": "2018-02-13T22:28:27.654Z", 1028 | "publicationTime": "2018-02-14T13:22:50.572Z", 1029 | "disclosureTime": "2018-01-30T22:28:27.654Z", 1030 | "id": "npm:lodash:20180130", 1031 | "alternativeIds": [ 1032 | "SNYK-JS-LODASH-12060" 1033 | ], 1034 | "from": [ 1035 | "medium-sev-project@1.0.0", 1036 | "mosca@2.7.0", 1037 | "ioredis@1.15.1", 1038 | "lodash@3.10.1" 1039 | ], 1040 | "upgradePath": [ 1041 | false, 1042 | false, 1043 | "ioredis@2.0.0", 1044 | "lodash@4.17.5" 1045 | ], 1046 | "version": "3.10.1", 1047 | "name": "lodash", 1048 | "isUpgradable": false, 1049 | "isPatchable": false, 1050 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/ioredis/node_modules/lodash/package.json", 1051 | "parentDepType": "prod" 1052 | }, 1053 | { 1054 | "title": "Prototype Pollution", 1055 | "credit": [ 1056 | "Olivier Arteau (HoLyVieR)" 1057 | ], 1058 | "moduleName": "lodash", 1059 | "packageName": "lodash", 1060 | "language": "js", 1061 | "packageManager": "npm", 1062 | "description": "## Overview\n[lodash](https://lodash.com/) is a javaScript utility library delivering modularity, performance & extras.\n\nAffected versions of this package are vulnerable to Prototype Pollution. \nThe utilities function allow modification of the `Object` prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. \n\n## PoC by Olivier Arteau (HoLyVieR)\n```js\nvar _= require('lodash');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\n_.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\n## Remediation\nUpgrade `lodash` to version 4.17.5 or higher.\n\n## References\n- [HackerOne Report](https://hackerone.com/reports/310443)\n", 1063 | "identifiers": { 1064 | "ALTERNATIVE": [ 1065 | "SNYK-JS-LODASH-12060" 1066 | ], 1067 | "CVE": [ 1068 | "CVE-2018-3721" 1069 | ], 1070 | "CWE": [ 1071 | "CWE-400" 1072 | ] 1073 | }, 1074 | "semver": { 1075 | "unaffected": ">=4.17.5", 1076 | "vulnerable": "<4.17.5" 1077 | }, 1078 | "severity": "low", 1079 | "cvssScore": 1.8, 1080 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L", 1081 | "patches": [], 1082 | "creationTime": "2018-02-12T22:28:27.654Z", 1083 | "modificationTime": "2018-02-13T22:28:27.654Z", 1084 | "publicationTime": "2018-02-14T13:22:50.572Z", 1085 | "disclosureTime": "2018-01-30T22:28:27.654Z", 1086 | "id": "npm:lodash:20180130", 1087 | "alternativeIds": [ 1088 | "SNYK-JS-LODASH-12060" 1089 | ], 1090 | "from": [ 1091 | "medium-sev-project@1.0.0", 1092 | "mosca@2.7.0", 1093 | "ascoltatori@3.2.0", 1094 | "kafka-node@0.5.9", 1095 | "lodash@3.10.1" 1096 | ], 1097 | "upgradePath": [ 1098 | false, 1099 | false, 1100 | false, 1101 | "kafka-node@1.3.2", 1102 | "lodash@4.17.5" 1103 | ], 1104 | "version": "3.10.1", 1105 | "name": "lodash", 1106 | "isUpgradable": false, 1107 | "isPatchable": false, 1108 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/kafka-node/node_modules/lodash/package.json", 1109 | "parentDepType": "prod" 1110 | }, 1111 | { 1112 | "license": "Apache-2.0", 1113 | "semver": { 1114 | "vulnerable": [ 1115 | ">=0.6.0" 1116 | ] 1117 | }, 1118 | "id": "snyk:lic:npm:aws-sign2:Apache-2.0", 1119 | "type": "license", 1120 | "packageManager": "npm", 1121 | "language": "js", 1122 | "packageName": "aws-sign2", 1123 | "title": "Apache-2.0 license", 1124 | "description": "Apache-2.0 license", 1125 | "publicationTime": "2018-03-11T12:36:36.319Z", 1126 | "creationTime": "2018-03-11T12:36:36.319Z", 1127 | "patches": [], 1128 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1129 | "severity": "medium", 1130 | "from": [ 1131 | "medium-sev-project@1.0.0", 1132 | "mosca@2.7.0", 1133 | "ascoltatori@3.2.0", 1134 | "kafka-node@0.5.9", 1135 | "snappy@5.0.5", 1136 | "node-gyp@3.4.0", 1137 | "request@2.83.0", 1138 | "aws-sign2@0.7.0" 1139 | ], 1140 | "upgradePath": [], 1141 | "version": "0.7.0", 1142 | "name": "aws-sign2", 1143 | "isUpgradable": false, 1144 | "isPatchable": false, 1145 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/aws-sign2/package.json", 1146 | "parentDepType": "prod" 1147 | }, 1148 | { 1149 | "license": "Apache-2.0", 1150 | "semver": { 1151 | "vulnerable": [ 1152 | ">=0.6.0" 1153 | ] 1154 | }, 1155 | "id": "snyk:lic:npm:aws-sign2:Apache-2.0", 1156 | "type": "license", 1157 | "packageManager": "npm", 1158 | "language": "js", 1159 | "packageName": "aws-sign2", 1160 | "title": "Apache-2.0 license", 1161 | "description": "Apache-2.0 license", 1162 | "publicationTime": "2018-03-11T12:36:36.319Z", 1163 | "creationTime": "2018-03-11T12:36:36.319Z", 1164 | "patches": [], 1165 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1166 | "severity": "medium", 1167 | "from": [ 1168 | "medium-sev-project@1.0.0", 1169 | "mosca@2.7.0", 1170 | "leveldown@1.4.6", 1171 | "prebuild@4.5.0", 1172 | "node-gyp@3.4.0", 1173 | "request@2.83.0", 1174 | "aws-sign2@0.7.0" 1175 | ], 1176 | "upgradePath": [], 1177 | "version": "0.7.0", 1178 | "name": "aws-sign2", 1179 | "isUpgradable": false, 1180 | "isPatchable": false, 1181 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/aws-sign2/package.json", 1182 | "parentDepType": "prod" 1183 | }, 1184 | { 1185 | "license": "Apache-2.0", 1186 | "semver": { 1187 | "vulnerable": [ 1188 | ">=0.6.0" 1189 | ] 1190 | }, 1191 | "id": "snyk:lic:npm:aws-sign2:Apache-2.0", 1192 | "type": "license", 1193 | "packageManager": "npm", 1194 | "language": "js", 1195 | "packageName": "aws-sign2", 1196 | "title": "Apache-2.0 license", 1197 | "description": "Apache-2.0 license", 1198 | "publicationTime": "2018-03-11T12:36:36.319Z", 1199 | "creationTime": "2018-03-11T12:36:36.319Z", 1200 | "patches": [], 1201 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1202 | "severity": "medium", 1203 | "from": [ 1204 | "medium-sev-project@1.0.0", 1205 | "mosca@2.7.0", 1206 | "leveldown@1.4.6", 1207 | "prebuild@4.5.0", 1208 | "node-ninja@1.0.2", 1209 | "request@2.83.0", 1210 | "aws-sign2@0.7.0" 1211 | ], 1212 | "upgradePath": [], 1213 | "version": "0.7.0", 1214 | "name": "aws-sign2", 1215 | "isUpgradable": false, 1216 | "isPatchable": false, 1217 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/aws-sign2/package.json", 1218 | "parentDepType": "prod" 1219 | }, 1220 | { 1221 | "license": "Apache-2.0", 1222 | "semver": { 1223 | "vulnerable": [ 1224 | ">=0.0.4" 1225 | ] 1226 | }, 1227 | "id": "snyk:lic:npm:bson:Apache-2.0", 1228 | "type": "license", 1229 | "packageManager": "npm", 1230 | "language": "js", 1231 | "packageName": "bson", 1232 | "title": "Apache-2.0 license", 1233 | "description": "Apache-2.0 license", 1234 | "publicationTime": "2018-03-11T12:36:36.803Z", 1235 | "creationTime": "2018-03-11T12:36:36.803Z", 1236 | "patches": [], 1237 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1238 | "severity": "medium", 1239 | "from": [ 1240 | "medium-sev-project@1.0.0", 1241 | "mosca@2.7.0", 1242 | "mongodb@2.1.21", 1243 | "mongodb-core@1.3.21", 1244 | "bson@0.4.23" 1245 | ], 1246 | "upgradePath": [], 1247 | "version": "0.4.23", 1248 | "name": "bson", 1249 | "isUpgradable": false, 1250 | "isPatchable": false, 1251 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/bson/package.json", 1252 | "parentDepType": "prod" 1253 | }, 1254 | { 1255 | "license": "Apache-2.0", 1256 | "semver": { 1257 | "vulnerable": [ 1258 | ">=0.0.4" 1259 | ] 1260 | }, 1261 | "id": "snyk:lic:npm:bson:Apache-2.0", 1262 | "type": "license", 1263 | "packageManager": "npm", 1264 | "language": "js", 1265 | "packageName": "bson", 1266 | "title": "Apache-2.0 license", 1267 | "description": "Apache-2.0 license", 1268 | "publicationTime": "2018-03-11T12:36:36.803Z", 1269 | "creationTime": "2018-03-11T12:36:36.803Z", 1270 | "patches": [], 1271 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1272 | "severity": "medium", 1273 | "from": [ 1274 | "medium-sev-project@1.0.0", 1275 | "mosca@2.7.0", 1276 | "ascoltatori@3.2.0", 1277 | "mongodb@2.1.21", 1278 | "mongodb-core@1.3.21", 1279 | "bson@0.4.23" 1280 | ], 1281 | "upgradePath": [], 1282 | "version": "0.4.23", 1283 | "name": "bson", 1284 | "isUpgradable": false, 1285 | "isPatchable": false, 1286 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/bson/package.json", 1287 | "parentDepType": "prod" 1288 | }, 1289 | { 1290 | "license": "Apache-2.0", 1291 | "semver": { 1292 | "vulnerable": [ 1293 | ">=0.11.0" 1294 | ] 1295 | }, 1296 | "id": "snyk:lic:npm:caseless:Apache-2.0", 1297 | "type": "license", 1298 | "packageManager": "npm", 1299 | "language": "js", 1300 | "packageName": "caseless", 1301 | "title": "Apache-2.0 license", 1302 | "description": "Apache-2.0 license", 1303 | "publicationTime": "2018-03-11T12:36:37.033Z", 1304 | "creationTime": "2018-03-11T12:36:37.033Z", 1305 | "patches": [], 1306 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1307 | "severity": "medium", 1308 | "from": [ 1309 | "medium-sev-project@1.0.0", 1310 | "mosca@2.7.0", 1311 | "ascoltatori@3.2.0", 1312 | "kafka-node@0.5.9", 1313 | "snappy@5.0.5", 1314 | "node-gyp@3.4.0", 1315 | "request@2.83.0", 1316 | "caseless@0.12.0" 1317 | ], 1318 | "upgradePath": [], 1319 | "version": "0.12.0", 1320 | "name": "caseless", 1321 | "isUpgradable": false, 1322 | "isPatchable": false, 1323 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/caseless/package.json", 1324 | "parentDepType": "prod" 1325 | }, 1326 | { 1327 | "license": "Apache-2.0", 1328 | "semver": { 1329 | "vulnerable": [ 1330 | ">=0.11.0" 1331 | ] 1332 | }, 1333 | "id": "snyk:lic:npm:caseless:Apache-2.0", 1334 | "type": "license", 1335 | "packageManager": "npm", 1336 | "language": "js", 1337 | "packageName": "caseless", 1338 | "title": "Apache-2.0 license", 1339 | "description": "Apache-2.0 license", 1340 | "publicationTime": "2018-03-11T12:36:37.033Z", 1341 | "creationTime": "2018-03-11T12:36:37.033Z", 1342 | "patches": [], 1343 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1344 | "severity": "medium", 1345 | "from": [ 1346 | "medium-sev-project@1.0.0", 1347 | "mosca@2.7.0", 1348 | "leveldown@1.4.6", 1349 | "prebuild@4.5.0", 1350 | "node-gyp@3.4.0", 1351 | "request@2.83.0", 1352 | "caseless@0.12.0" 1353 | ], 1354 | "upgradePath": [], 1355 | "version": "0.12.0", 1356 | "name": "caseless", 1357 | "isUpgradable": false, 1358 | "isPatchable": false, 1359 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/caseless/package.json", 1360 | "parentDepType": "prod" 1361 | }, 1362 | { 1363 | "license": "Apache-2.0", 1364 | "semver": { 1365 | "vulnerable": [ 1366 | ">=0.11.0" 1367 | ] 1368 | }, 1369 | "id": "snyk:lic:npm:caseless:Apache-2.0", 1370 | "type": "license", 1371 | "packageManager": "npm", 1372 | "language": "js", 1373 | "packageName": "caseless", 1374 | "title": "Apache-2.0 license", 1375 | "description": "Apache-2.0 license", 1376 | "publicationTime": "2018-03-11T12:36:37.033Z", 1377 | "creationTime": "2018-03-11T12:36:37.033Z", 1378 | "patches": [], 1379 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1380 | "severity": "medium", 1381 | "from": [ 1382 | "medium-sev-project@1.0.0", 1383 | "mosca@2.7.0", 1384 | "leveldown@1.4.6", 1385 | "prebuild@4.5.0", 1386 | "node-ninja@1.0.2", 1387 | "request@2.83.0", 1388 | "caseless@0.12.0" 1389 | ], 1390 | "upgradePath": [], 1391 | "version": "0.12.0", 1392 | "name": "caseless", 1393 | "isUpgradable": false, 1394 | "isPatchable": false, 1395 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/caseless/package.json", 1396 | "parentDepType": "prod" 1397 | }, 1398 | { 1399 | "license": "Apache-2.0", 1400 | "semver": { 1401 | "vulnerable": [ 1402 | ">=0.6.0" 1403 | ] 1404 | }, 1405 | "id": "snyk:lic:npm:forever-agent:Apache-2.0", 1406 | "type": "license", 1407 | "packageManager": "npm", 1408 | "language": "js", 1409 | "packageName": "forever-agent", 1410 | "title": "Apache-2.0 license", 1411 | "description": "Apache-2.0 license", 1412 | "publicationTime": "2018-03-11T12:36:40.028Z", 1413 | "creationTime": "2018-03-11T12:36:40.028Z", 1414 | "patches": [], 1415 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1416 | "severity": "medium", 1417 | "from": [ 1418 | "medium-sev-project@1.0.0", 1419 | "mosca@2.7.0", 1420 | "ascoltatori@3.2.0", 1421 | "kafka-node@0.5.9", 1422 | "snappy@5.0.5", 1423 | "node-gyp@3.4.0", 1424 | "request@2.83.0", 1425 | "forever-agent@0.6.1" 1426 | ], 1427 | "upgradePath": [], 1428 | "version": "0.6.1", 1429 | "name": "forever-agent", 1430 | "isUpgradable": false, 1431 | "isPatchable": false, 1432 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/forever-agent/package.json", 1433 | "parentDepType": "prod" 1434 | }, 1435 | { 1436 | "license": "Apache-2.0", 1437 | "semver": { 1438 | "vulnerable": [ 1439 | ">=0.6.0" 1440 | ] 1441 | }, 1442 | "id": "snyk:lic:npm:forever-agent:Apache-2.0", 1443 | "type": "license", 1444 | "packageManager": "npm", 1445 | "language": "js", 1446 | "packageName": "forever-agent", 1447 | "title": "Apache-2.0 license", 1448 | "description": "Apache-2.0 license", 1449 | "publicationTime": "2018-03-11T12:36:40.028Z", 1450 | "creationTime": "2018-03-11T12:36:40.028Z", 1451 | "patches": [], 1452 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1453 | "severity": "medium", 1454 | "from": [ 1455 | "medium-sev-project@1.0.0", 1456 | "mosca@2.7.0", 1457 | "leveldown@1.4.6", 1458 | "prebuild@4.5.0", 1459 | "node-gyp@3.4.0", 1460 | "request@2.83.0", 1461 | "forever-agent@0.6.1" 1462 | ], 1463 | "upgradePath": [], 1464 | "version": "0.6.1", 1465 | "name": "forever-agent", 1466 | "isUpgradable": false, 1467 | "isPatchable": false, 1468 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/forever-agent/package.json", 1469 | "parentDepType": "prod" 1470 | }, 1471 | { 1472 | "license": "Apache-2.0", 1473 | "semver": { 1474 | "vulnerable": [ 1475 | ">=0.6.0" 1476 | ] 1477 | }, 1478 | "id": "snyk:lic:npm:forever-agent:Apache-2.0", 1479 | "type": "license", 1480 | "packageManager": "npm", 1481 | "language": "js", 1482 | "packageName": "forever-agent", 1483 | "title": "Apache-2.0 license", 1484 | "description": "Apache-2.0 license", 1485 | "publicationTime": "2018-03-11T12:36:40.028Z", 1486 | "creationTime": "2018-03-11T12:36:40.028Z", 1487 | "patches": [], 1488 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1489 | "severity": "medium", 1490 | "from": [ 1491 | "medium-sev-project@1.0.0", 1492 | "mosca@2.7.0", 1493 | "leveldown@1.4.6", 1494 | "prebuild@4.5.0", 1495 | "node-ninja@1.0.2", 1496 | "request@2.83.0", 1497 | "forever-agent@0.6.1" 1498 | ], 1499 | "upgradePath": [], 1500 | "version": "0.6.1", 1501 | "name": "forever-agent", 1502 | "isUpgradable": false, 1503 | "isPatchable": false, 1504 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/forever-agent/package.json", 1505 | "parentDepType": "prod" 1506 | }, 1507 | { 1508 | "license": "Apache-2.0", 1509 | "semver": { 1510 | "vulnerable": [ 1511 | ">=0.0.1" 1512 | ] 1513 | }, 1514 | "id": "snyk:lic:npm:kerberos:Apache-2.0", 1515 | "type": "license", 1516 | "packageManager": "npm", 1517 | "language": "js", 1518 | "packageName": "kerberos", 1519 | "title": "Apache-2.0 license", 1520 | "description": "Apache-2.0 license", 1521 | "publicationTime": "2018-03-11T12:36:41.074Z", 1522 | "creationTime": "2018-03-11T12:36:41.074Z", 1523 | "patches": [], 1524 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1525 | "severity": "medium", 1526 | "from": [ 1527 | "medium-sev-project@1.0.0", 1528 | "mosca@2.7.0", 1529 | "ascoltatori@3.2.0", 1530 | "kerberos@0.0.23" 1531 | ], 1532 | "upgradePath": [], 1533 | "version": "0.0.23", 1534 | "name": "kerberos", 1535 | "isUpgradable": false, 1536 | "isPatchable": false, 1537 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/kerberos/package.json", 1538 | "parentDepType": "prod" 1539 | }, 1540 | { 1541 | "license": "Apache-2.0", 1542 | "semver": { 1543 | "vulnerable": [ 1544 | ">=1.0.0" 1545 | ] 1546 | }, 1547 | "id": "snyk:lic:npm:long:Apache-2.0", 1548 | "type": "license", 1549 | "packageManager": "npm", 1550 | "language": "js", 1551 | "packageName": "long", 1552 | "title": "Apache-2.0 license", 1553 | "description": "Apache-2.0 license", 1554 | "publicationTime": "2018-03-11T12:36:41.283Z", 1555 | "creationTime": "2018-03-11T12:36:41.283Z", 1556 | "patches": [], 1557 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1558 | "severity": "medium", 1559 | "from": [ 1560 | "medium-sev-project@1.0.0", 1561 | "mosca@2.7.0", 1562 | "ascoltatori@3.2.0", 1563 | "kafka-node@0.5.9", 1564 | "buffermaker@1.2.0", 1565 | "long@1.1.2" 1566 | ], 1567 | "upgradePath": [], 1568 | "version": "1.1.2", 1569 | "name": "long", 1570 | "isUpgradable": false, 1571 | "isPatchable": false, 1572 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/long/package.json", 1573 | "parentDepType": "prod" 1574 | }, 1575 | { 1576 | "license": "Apache-2.0", 1577 | "semver": { 1578 | "vulnerable": [ 1579 | ">=1.0.0-alpha3" 1580 | ] 1581 | }, 1582 | "id": "snyk:lic:npm:mongodb-core:Apache-2.0", 1583 | "type": "license", 1584 | "packageManager": "npm", 1585 | "language": "js", 1586 | "packageName": "mongodb-core", 1587 | "title": "Apache-2.0 license", 1588 | "description": "Apache-2.0 license", 1589 | "publicationTime": "2018-03-11T12:36:41.543Z", 1590 | "creationTime": "2018-03-11T12:36:41.543Z", 1591 | "patches": [], 1592 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1593 | "severity": "medium", 1594 | "from": [ 1595 | "medium-sev-project@1.0.0", 1596 | "mosca@2.7.0", 1597 | "mongodb@2.1.21", 1598 | "mongodb-core@1.3.21" 1599 | ], 1600 | "upgradePath": [], 1601 | "version": "1.3.21", 1602 | "name": "mongodb-core", 1603 | "isUpgradable": false, 1604 | "isPatchable": false, 1605 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/mongodb-core/package.json", 1606 | "parentDepType": "prod" 1607 | }, 1608 | { 1609 | "license": "Apache-2.0", 1610 | "semver": { 1611 | "vulnerable": [ 1612 | ">=1.0.0-alpha3" 1613 | ] 1614 | }, 1615 | "id": "snyk:lic:npm:mongodb-core:Apache-2.0", 1616 | "type": "license", 1617 | "packageManager": "npm", 1618 | "language": "js", 1619 | "packageName": "mongodb-core", 1620 | "title": "Apache-2.0 license", 1621 | "description": "Apache-2.0 license", 1622 | "publicationTime": "2018-03-11T12:36:41.543Z", 1623 | "creationTime": "2018-03-11T12:36:41.543Z", 1624 | "patches": [], 1625 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1626 | "severity": "medium", 1627 | "from": [ 1628 | "medium-sev-project@1.0.0", 1629 | "mosca@2.7.0", 1630 | "ascoltatori@3.2.0", 1631 | "mongodb@2.1.21", 1632 | "mongodb-core@1.3.21" 1633 | ], 1634 | "upgradePath": [], 1635 | "version": "1.3.21", 1636 | "name": "mongodb-core", 1637 | "isUpgradable": false, 1638 | "isPatchable": false, 1639 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/mongodb-core/package.json", 1640 | "parentDepType": "prod" 1641 | }, 1642 | { 1643 | "license": "Apache-2.0", 1644 | "semver": { 1645 | "vulnerable": [ 1646 | ">=0.9.1" 1647 | ] 1648 | }, 1649 | "id": "snyk:lic:npm:mongodb:Apache-2.0", 1650 | "type": "license", 1651 | "packageManager": "npm", 1652 | "language": "js", 1653 | "packageName": "mongodb", 1654 | "title": "Apache-2.0 license", 1655 | "description": "Apache-2.0 license", 1656 | "publicationTime": "2018-03-11T12:36:41.542Z", 1657 | "creationTime": "2018-03-11T12:36:41.542Z", 1658 | "patches": [], 1659 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1660 | "severity": "medium", 1661 | "from": [ 1662 | "medium-sev-project@1.0.0", 1663 | "mosca@2.7.0", 1664 | "mongodb@2.1.21" 1665 | ], 1666 | "upgradePath": [], 1667 | "version": "2.1.21", 1668 | "name": "mongodb", 1669 | "isUpgradable": false, 1670 | "isPatchable": false, 1671 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/mongodb/package.json", 1672 | "parentDepType": "prod" 1673 | }, 1674 | { 1675 | "license": "Apache-2.0", 1676 | "semver": { 1677 | "vulnerable": [ 1678 | ">=0.9.1" 1679 | ] 1680 | }, 1681 | "id": "snyk:lic:npm:mongodb:Apache-2.0", 1682 | "type": "license", 1683 | "packageManager": "npm", 1684 | "language": "js", 1685 | "packageName": "mongodb", 1686 | "title": "Apache-2.0 license", 1687 | "description": "Apache-2.0 license", 1688 | "publicationTime": "2018-03-11T12:36:41.542Z", 1689 | "creationTime": "2018-03-11T12:36:41.542Z", 1690 | "patches": [], 1691 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1692 | "severity": "medium", 1693 | "from": [ 1694 | "medium-sev-project@1.0.0", 1695 | "mosca@2.7.0", 1696 | "ascoltatori@3.2.0", 1697 | "mongodb@2.1.21" 1698 | ], 1699 | "upgradePath": [], 1700 | "version": "2.1.21", 1701 | "name": "mongodb", 1702 | "isUpgradable": false, 1703 | "isPatchable": false, 1704 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/mongodb/package.json", 1705 | "parentDepType": "prod" 1706 | }, 1707 | { 1708 | "license": "MPL-2.0", 1709 | "semver": { 1710 | "vulnerable": [ 1711 | "*" 1712 | ] 1713 | }, 1714 | "id": "snyk:lic:npm:node-ninja:MPL-2.0", 1715 | "type": "license", 1716 | "packageManager": "npm", 1717 | "language": "js", 1718 | "packageName": "node-ninja", 1719 | "title": "MPL-2.0 license", 1720 | "description": "MPL-2.0 license", 1721 | "publicationTime": "2018-03-11T12:36:41.950Z", 1722 | "creationTime": "2018-03-11T12:36:41.950Z", 1723 | "patches": [], 1724 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/MPL-2.0.txt", 1725 | "severity": "medium", 1726 | "from": [ 1727 | "medium-sev-project@1.0.0", 1728 | "mosca@2.7.0", 1729 | "leveldown@1.4.6", 1730 | "prebuild@4.5.0", 1731 | "node-ninja@1.0.2" 1732 | ], 1733 | "upgradePath": [], 1734 | "version": "1.0.2", 1735 | "name": "node-ninja", 1736 | "isUpgradable": false, 1737 | "isPatchable": false, 1738 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/node-ninja/package.json", 1739 | "parentDepType": "prod" 1740 | }, 1741 | { 1742 | "license": "Apache-2.0", 1743 | "semver": { 1744 | "vulnerable": [ 1745 | ">=0.8.0" 1746 | ] 1747 | }, 1748 | "id": "snyk:lic:npm:oauth-sign:Apache-2.0", 1749 | "type": "license", 1750 | "packageManager": "npm", 1751 | "language": "js", 1752 | "packageName": "oauth-sign", 1753 | "title": "Apache-2.0 license", 1754 | "description": "Apache-2.0 license", 1755 | "publicationTime": "2018-03-11T12:36:42.196Z", 1756 | "creationTime": "2018-03-11T12:36:42.196Z", 1757 | "patches": [], 1758 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1759 | "severity": "medium", 1760 | "from": [ 1761 | "medium-sev-project@1.0.0", 1762 | "mosca@2.7.0", 1763 | "ascoltatori@3.2.0", 1764 | "kafka-node@0.5.9", 1765 | "snappy@5.0.5", 1766 | "node-gyp@3.4.0", 1767 | "request@2.83.0", 1768 | "oauth-sign@0.8.2" 1769 | ], 1770 | "upgradePath": [], 1771 | "version": "0.8.2", 1772 | "name": "oauth-sign", 1773 | "isUpgradable": false, 1774 | "isPatchable": false, 1775 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/oauth-sign/package.json", 1776 | "parentDepType": "prod" 1777 | }, 1778 | { 1779 | "license": "Apache-2.0", 1780 | "semver": { 1781 | "vulnerable": [ 1782 | ">=0.8.0" 1783 | ] 1784 | }, 1785 | "id": "snyk:lic:npm:oauth-sign:Apache-2.0", 1786 | "type": "license", 1787 | "packageManager": "npm", 1788 | "language": "js", 1789 | "packageName": "oauth-sign", 1790 | "title": "Apache-2.0 license", 1791 | "description": "Apache-2.0 license", 1792 | "publicationTime": "2018-03-11T12:36:42.196Z", 1793 | "creationTime": "2018-03-11T12:36:42.196Z", 1794 | "patches": [], 1795 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1796 | "severity": "medium", 1797 | "from": [ 1798 | "medium-sev-project@1.0.0", 1799 | "mosca@2.7.0", 1800 | "leveldown@1.4.6", 1801 | "prebuild@4.5.0", 1802 | "node-gyp@3.4.0", 1803 | "request@2.83.0", 1804 | "oauth-sign@0.8.2" 1805 | ], 1806 | "upgradePath": [], 1807 | "version": "0.8.2", 1808 | "name": "oauth-sign", 1809 | "isUpgradable": false, 1810 | "isPatchable": false, 1811 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/oauth-sign/package.json", 1812 | "parentDepType": "prod" 1813 | }, 1814 | { 1815 | "license": "Apache-2.0", 1816 | "semver": { 1817 | "vulnerable": [ 1818 | ">=0.8.0" 1819 | ] 1820 | }, 1821 | "id": "snyk:lic:npm:oauth-sign:Apache-2.0", 1822 | "type": "license", 1823 | "packageManager": "npm", 1824 | "language": "js", 1825 | "packageName": "oauth-sign", 1826 | "title": "Apache-2.0 license", 1827 | "description": "Apache-2.0 license", 1828 | "publicationTime": "2018-03-11T12:36:42.196Z", 1829 | "creationTime": "2018-03-11T12:36:42.196Z", 1830 | "patches": [], 1831 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1832 | "severity": "medium", 1833 | "from": [ 1834 | "medium-sev-project@1.0.0", 1835 | "mosca@2.7.0", 1836 | "leveldown@1.4.6", 1837 | "prebuild@4.5.0", 1838 | "node-ninja@1.0.2", 1839 | "request@2.83.0", 1840 | "oauth-sign@0.8.2" 1841 | ], 1842 | "upgradePath": [], 1843 | "version": "0.8.2", 1844 | "name": "oauth-sign", 1845 | "isUpgradable": false, 1846 | "isPatchable": false, 1847 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/oauth-sign/package.json", 1848 | "parentDepType": "prod" 1849 | }, 1850 | { 1851 | "license": "Apache-2.0", 1852 | "semver": { 1853 | "vulnerable": [ 1854 | ">=2.34.0" 1855 | ] 1856 | }, 1857 | "id": "snyk:lic:npm:request:Apache-2.0", 1858 | "type": "license", 1859 | "packageManager": "npm", 1860 | "language": "js", 1861 | "packageName": "request", 1862 | "title": "Apache-2.0 license", 1863 | "description": "Apache-2.0 license", 1864 | "publicationTime": "2018-03-11T12:36:42.865Z", 1865 | "creationTime": "2018-03-11T12:36:42.865Z", 1866 | "patches": [], 1867 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1868 | "severity": "medium", 1869 | "from": [ 1870 | "medium-sev-project@1.0.0", 1871 | "mosca@2.7.0", 1872 | "ascoltatori@3.2.0", 1873 | "kafka-node@0.5.9", 1874 | "snappy@5.0.5", 1875 | "node-gyp@3.4.0", 1876 | "request@2.83.0" 1877 | ], 1878 | "upgradePath": [], 1879 | "version": "2.83.0", 1880 | "name": "request", 1881 | "isUpgradable": false, 1882 | "isPatchable": false, 1883 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/request/package.json", 1884 | "parentDepType": "prod" 1885 | }, 1886 | { 1887 | "license": "Apache-2.0", 1888 | "semver": { 1889 | "vulnerable": [ 1890 | ">=2.34.0" 1891 | ] 1892 | }, 1893 | "id": "snyk:lic:npm:request:Apache-2.0", 1894 | "type": "license", 1895 | "packageManager": "npm", 1896 | "language": "js", 1897 | "packageName": "request", 1898 | "title": "Apache-2.0 license", 1899 | "description": "Apache-2.0 license", 1900 | "publicationTime": "2018-03-11T12:36:42.865Z", 1901 | "creationTime": "2018-03-11T12:36:42.865Z", 1902 | "patches": [], 1903 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1904 | "severity": "medium", 1905 | "from": [ 1906 | "medium-sev-project@1.0.0", 1907 | "mosca@2.7.0", 1908 | "leveldown@1.4.6", 1909 | "prebuild@4.5.0", 1910 | "node-gyp@3.4.0", 1911 | "request@2.83.0" 1912 | ], 1913 | "upgradePath": [], 1914 | "version": "2.83.0", 1915 | "name": "request", 1916 | "isUpgradable": false, 1917 | "isPatchable": false, 1918 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/request/package.json", 1919 | "parentDepType": "prod" 1920 | }, 1921 | { 1922 | "license": "Apache-2.0", 1923 | "semver": { 1924 | "vulnerable": [ 1925 | ">=2.34.0" 1926 | ] 1927 | }, 1928 | "id": "snyk:lic:npm:request:Apache-2.0", 1929 | "type": "license", 1930 | "packageManager": "npm", 1931 | "language": "js", 1932 | "packageName": "request", 1933 | "title": "Apache-2.0 license", 1934 | "description": "Apache-2.0 license", 1935 | "publicationTime": "2018-03-11T12:36:42.865Z", 1936 | "creationTime": "2018-03-11T12:36:42.865Z", 1937 | "patches": [], 1938 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1939 | "severity": "medium", 1940 | "from": [ 1941 | "medium-sev-project@1.0.0", 1942 | "mosca@2.7.0", 1943 | "leveldown@1.4.6", 1944 | "prebuild@4.5.0", 1945 | "node-ninja@1.0.2", 1946 | "request@2.83.0" 1947 | ], 1948 | "upgradePath": [], 1949 | "version": "2.83.0", 1950 | "name": "request", 1951 | "isUpgradable": false, 1952 | "isPatchable": false, 1953 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/request/package.json", 1954 | "parentDepType": "prod" 1955 | }, 1956 | { 1957 | "license": "Apache-2.0", 1958 | "semver": { 1959 | "vulnerable": [ 1960 | "*" 1961 | ] 1962 | }, 1963 | "id": "snyk:lic:npm:require_optional:Apache-2.0", 1964 | "type": "license", 1965 | "packageManager": "npm", 1966 | "language": "js", 1967 | "packageName": "require_optional", 1968 | "title": "Apache-2.0 license", 1969 | "description": "Apache-2.0 license", 1970 | "publicationTime": "2018-03-11T12:36:42.870Z", 1971 | "creationTime": "2018-03-11T12:36:42.870Z", 1972 | "patches": [], 1973 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 1974 | "severity": "medium", 1975 | "from": [ 1976 | "medium-sev-project@1.0.0", 1977 | "mosca@2.7.0", 1978 | "mongodb@2.1.21", 1979 | "mongodb-core@1.3.21", 1980 | "require_optional@1.0.1" 1981 | ], 1982 | "upgradePath": [], 1983 | "version": "1.0.1", 1984 | "name": "require_optional", 1985 | "isUpgradable": false, 1986 | "isPatchable": false, 1987 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/require_optional/package.json", 1988 | "parentDepType": "prod" 1989 | }, 1990 | { 1991 | "license": "Apache-2.0", 1992 | "semver": { 1993 | "vulnerable": [ 1994 | "*" 1995 | ] 1996 | }, 1997 | "id": "snyk:lic:npm:require_optional:Apache-2.0", 1998 | "type": "license", 1999 | "packageManager": "npm", 2000 | "language": "js", 2001 | "packageName": "require_optional", 2002 | "title": "Apache-2.0 license", 2003 | "description": "Apache-2.0 license", 2004 | "publicationTime": "2018-03-11T12:36:42.870Z", 2005 | "creationTime": "2018-03-11T12:36:42.870Z", 2006 | "patches": [], 2007 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 2008 | "severity": "medium", 2009 | "from": [ 2010 | "medium-sev-project@1.0.0", 2011 | "mosca@2.7.0", 2012 | "ascoltatori@3.2.0", 2013 | "mongodb@2.1.21", 2014 | "mongodb-core@1.3.21", 2015 | "require_optional@1.0.1" 2016 | ], 2017 | "upgradePath": [], 2018 | "version": "1.0.1", 2019 | "name": "require_optional", 2020 | "isUpgradable": false, 2021 | "isPatchable": false, 2022 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/require_optional/package.json", 2023 | "parentDepType": "prod" 2024 | }, 2025 | { 2026 | "license": "Apache-2.0", 2027 | "semver": { 2028 | "vulnerable": [ 2029 | ">=0.4.2" 2030 | ] 2031 | }, 2032 | "id": "snyk:lic:npm:tunnel-agent:Apache-2.0", 2033 | "type": "license", 2034 | "packageManager": "npm", 2035 | "language": "js", 2036 | "packageName": "tunnel-agent", 2037 | "title": "Apache-2.0 license", 2038 | "description": "Apache-2.0 license", 2039 | "publicationTime": "2018-03-11T12:36:43.642Z", 2040 | "creationTime": "2018-03-11T12:36:43.642Z", 2041 | "patches": [], 2042 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 2043 | "severity": "medium", 2044 | "from": [ 2045 | "medium-sev-project@1.0.0", 2046 | "mosca@2.7.0", 2047 | "ascoltatori@3.2.0", 2048 | "kafka-node@0.5.9", 2049 | "snappy@5.0.5", 2050 | "node-gyp@3.4.0", 2051 | "request@2.83.0", 2052 | "tunnel-agent@0.6.0" 2053 | ], 2054 | "upgradePath": [], 2055 | "version": "0.6.0", 2056 | "name": "tunnel-agent", 2057 | "isUpgradable": false, 2058 | "isPatchable": false, 2059 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/tunnel-agent/package.json", 2060 | "parentDepType": "prod" 2061 | }, 2062 | { 2063 | "license": "Apache-2.0", 2064 | "semver": { 2065 | "vulnerable": [ 2066 | ">=0.4.2" 2067 | ] 2068 | }, 2069 | "id": "snyk:lic:npm:tunnel-agent:Apache-2.0", 2070 | "type": "license", 2071 | "packageManager": "npm", 2072 | "language": "js", 2073 | "packageName": "tunnel-agent", 2074 | "title": "Apache-2.0 license", 2075 | "description": "Apache-2.0 license", 2076 | "publicationTime": "2018-03-11T12:36:43.642Z", 2077 | "creationTime": "2018-03-11T12:36:43.642Z", 2078 | "patches": [], 2079 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 2080 | "severity": "medium", 2081 | "from": [ 2082 | "medium-sev-project@1.0.0", 2083 | "mosca@2.7.0", 2084 | "leveldown@1.4.6", 2085 | "prebuild@4.5.0", 2086 | "node-gyp@3.4.0", 2087 | "request@2.83.0", 2088 | "tunnel-agent@0.6.0" 2089 | ], 2090 | "upgradePath": [], 2091 | "version": "0.6.0", 2092 | "name": "tunnel-agent", 2093 | "isUpgradable": false, 2094 | "isPatchable": false, 2095 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/tunnel-agent/package.json", 2096 | "parentDepType": "prod" 2097 | }, 2098 | { 2099 | "license": "Apache-2.0", 2100 | "semver": { 2101 | "vulnerable": [ 2102 | ">=0.4.2" 2103 | ] 2104 | }, 2105 | "id": "snyk:lic:npm:tunnel-agent:Apache-2.0", 2106 | "type": "license", 2107 | "packageManager": "npm", 2108 | "language": "js", 2109 | "packageName": "tunnel-agent", 2110 | "title": "Apache-2.0 license", 2111 | "description": "Apache-2.0 license", 2112 | "publicationTime": "2018-03-11T12:36:43.642Z", 2113 | "creationTime": "2018-03-11T12:36:43.642Z", 2114 | "patches": [], 2115 | "licenseTemplateUrl": "https://raw.githubusercontent.com/spdx/license-list/master/Apache-2.0.txt", 2116 | "severity": "medium", 2117 | "from": [ 2118 | "medium-sev-project@1.0.0", 2119 | "mosca@2.7.0", 2120 | "leveldown@1.4.6", 2121 | "prebuild@4.5.0", 2122 | "node-ninja@1.0.2", 2123 | "request@2.83.0", 2124 | "tunnel-agent@0.6.0" 2125 | ], 2126 | "upgradePath": [], 2127 | "version": "0.6.0", 2128 | "name": "tunnel-agent", 2129 | "isUpgradable": false, 2130 | "isPatchable": false, 2131 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/tunnel-agent/package.json", 2132 | "parentDepType": "prod" 2133 | } 2134 | ], 2135 | "dependencyCount": 398, 2136 | "org": "aarlaud-snyk-demo", 2137 | "licensesPolicy": { 2138 | "severities": { 2139 | "MS-RL": "medium", 2140 | "EPL-1.0": "medium", 2141 | "GPL-2.0": "high", 2142 | "GPL-3.0": "high", 2143 | "MPL-1.1": "medium", 2144 | "MPL-2.0": "medium", 2145 | "AGPL-1.0": "high", 2146 | "AGPL-3.0": "high", 2147 | "CDDL-1.0": "medium", 2148 | "LGPL-2.0": "medium", 2149 | "LGPL-2.1": "medium", 2150 | "LGPL-3.0": "medium", 2151 | "CPOL-1.02": "high", 2152 | "LGPL-2.1+": "medium", 2153 | "LGPL-3.0+": "medium", 2154 | "SimPL-2.0": "high", 2155 | "Apache-2.0": "medium", 2156 | "Artistic-1.0": "medium", 2157 | "Artistic-2.0": "medium" 2158 | } 2159 | }, 2160 | "isPrivate": true, 2161 | "packageManager": "npm", 2162 | "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.10.2\nignore: {}\npatch: {}\n", 2163 | "ignoreSettings": null, 2164 | "summary": "46 vulnerable dependency paths", 2165 | "filesystemPolicy": false, 2166 | "filtered": { 2167 | "ignore": [], 2168 | "patch": [] 2169 | }, 2170 | "uniqueCount": 17, 2171 | "path": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project" 2172 | } 2173 | -------------------------------------------------------------------------------- /sample-filters/example-complex-combination-SCA.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if ((.type == \"license\" and .severity==\"high\"), select(.exploit != null and .exploit != \"Not Defined\" and .exploit != \"Unproven\" and .cvssScore>=7.0 and (.isUpgradable == true or .isPatchable ==true))) then . else empty end)" 4 | pass: ".vulnerabilities[] | select(.type == \"license\" and .severity==\"high\"), select(.exploit != null and .exploit != \"Not Defined\" and .exploit != \"Unproven\" and .cvssScore>=7.0 and (.isUpgradable == true or .isPatchable ==true)) | length" 5 | msg: "Issues found with filter -> License issue is High severity or Vulnerability is Exploitbale, fixable and severe!! " 6 | -------------------------------------------------------------------------------- /sample-filters/example-cvss-9-or-above.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if .cvssScore >= 9 then . else empty end)" 4 | pass: "[.vulnerabilities[] | select(.cvssScore >= 9)] | length" 5 | msg: "Vulnerabilities with CVSS Score of 9+ found" -------------------------------------------------------------------------------- /sample-filters/example-high-vulns-ignore-package-names.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if ((.severity == \"high\") and (.packageName != \"org.apache.struts:struts2-core\") and (.packageName != \"org.apache.struts.xwork:xwork-core\") and (.packageName != \"org.springframework:spring-web\")) then . else empty end)" 4 | pass: ".vulnerabilities[] | select ((.severity == \"high\") and (.packageName != \"org.apache.struts:struts2-core\") and (.packageName != \"org.apache.struts.xwork:xwork-core\") and (.packageName != \"org.springframework:spring-web\")) | length" 5 | msg: "Issues found with filter -> severity: high, packageName is not one of (org.apache.struts.xwork:xwork-core,org.apache.struts:struts2-core,org.springframework:spring-web)" 6 | -------------------------------------------------------------------------------- /sample-filters/example-high-vulns-upgradeable.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if .isUpgradable == true and .severity == \"high\" then . else empty end)" 4 | pass: "[.vulnerabilities[] | select(.severity == \"high\" and .isUpgradable == true)] | length" 5 | msg: "High severity & upgradeable vulns found. Please review upgrade steps" 6 | -------------------------------------------------------------------------------- /sample-filters/example-iac-high-or-above-issues.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: "[.infrastructureAsCodeIssues[] | if .severity == \"high\" or .severity == \"critical\" then . else empty end]" 4 | pass: "[.infrastructureAsCodeIssues[] | select(.severity == \"high\" or .severity == \"critical\")] | length" 5 | msg: "High or above severity infrastructure as code issues found. Please review resolve steps" 6 | -------------------------------------------------------------------------------- /sample-filters/example-iac-high-or-above-s3-only-issues.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: "[.infrastructureAsCodeIssues[] | if .subType == \"S3\" and (.severity == \"low\" or .severity == \"medium\") then . else empty end]" 4 | pass: "[.infrastructureAsCodeIssues[] | select(.subType == \"S3\" and (.severity == \"low\" or .severity == \"medium\"))] | length" 5 | msg: "High or above severity S3 only type infrastructure as code issues found. Please review resolve steps" 6 | -------------------------------------------------------------------------------- /sample-filters/example-licenses-only.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if .type == \"license\" then . else empty end)" 4 | pass: "[.vulnerabilities[] | select(.type == \"license\")] | length" 5 | msg: "Vulnerabilities found" 6 | -------------------------------------------------------------------------------- /sample-filters/example-medium-or-above-vulns-upgradeable.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if .isUpgradable == true and .severity != \"low\" then . else empty end)" 4 | pass: "[.vulnerabilities[] | select(.severity != \"low\" and .isUpgradable == true)] | length" 5 | msg: "Medium or above severity & upgradeable vulns found. Please review upgrade steps" 6 | -------------------------------------------------------------------------------- /sample-filters/example-more-than-n-vulns: -------------------------------------------------------------------------------- 1 | #This filter fails if there are: >2 high, upgradleable vulns OR >0 critical, upgradeable vulns 2 | version: 2 3 | customFilters: 4 | filter: "if ([.vulnerabilities[] | select(.isUpgradable == true and .severity == \"high\")] | length > 2) or ([.vulnerabilities[] | select(.isUpgradable == true and .severity == \"critical\")] | length > 0) then .vulnerabilities |= map(if .isUpgradable == true and (.severity == \"high\" or .severity == \"critical\") then . else empty end) else .vulnerabilities |= map(empty) end" 5 | pass: "if ([.vulnerabilities[] | select(.isUpgradable == true and .severity == \"high\")] | length > 2) or ([.vulnerabilities[] | select(.isUpgradable == true and .severity == \"critical\")] | length > 0) then 1 else 0 end" 6 | msg: "High and critical severity & upgradeable vulns found. Please review upgrade steps" 7 | -------------------------------------------------------------------------------- /sample-filters/example-vulns-only.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | customFilters: 3 | filter: ".vulnerabilities |= map(if .type != \"license\" then . else empty end)" 4 | pass: "[.vulnerabilities[] | select(.type != \"license\")] | length" 5 | msg: "Vulnerabilities found" 6 | -------------------------------------------------------------------------------- /tests/fixtures/test_filters.json: -------------------------------------------------------------------------------- 1 | { 2 | "filters":{ 3 | "medium_and_upgradable": ".vulnerabilities |= map(if .isUpgradable == true and .severity == \"medium\" then . else empty end)", 4 | "low_and_upgradable": ".vulnerabilities |= map(if .isUpgradable == true and .severity == \"low\" then . else empty end)", 5 | "low_and_non_upgradable": ".vulnerabilities |= map(if .isUpgradable == false and .severity == \"low\" then . else empty end)", 6 | "medium_and_non_upgradable": ".vulnerabilities |= map(if .isUpgradable == false and .severity == \"medium\" then . else empty end)" 7 | }, 8 | "passFilters":{ 9 | "medium_and_upgradable": "[.vulnerabilities[] | select(.severity == \"medium\" and .isUpgradable == true)] | length", 10 | "low_and_upgradable": "[.vulnerabilities[] | select(.severity == \"low\" and .isUpgradable == true)] | length", 11 | "low_and_non_upgradable": "[.vulnerabilities[] | select(.severity == \"low\" and .isUpgradable == false)] | length", 12 | "medium_and_non_upgradable": "[.vulnerabilities[] | select(.severity == \"medium\" and .isUpgradable == false)] | length" 13 | }, 14 | "failMessages": { 15 | "medium_and_upgradable": "Upgradable medium Severity issues detected. Please review upgrade steps", 16 | "low_and_upgradable": "Upgradable low Severity issues detected. Please review upgrade steps", 17 | "low_and_non_upgradable": "Non upgradable low Severity issues detected. Please review upgrade steps", 18 | "medium_and_non_upgradable": "Non upgradable Medium Severity issues detected. Please review upgrade steps" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /tests/fixtures/test_results.json: -------------------------------------------------------------------------------- 1 | { 2 | "sample_input": { 3 | "ok": false, 4 | "vulnerabilities": [ 5 | { 6 | "title": "Uninitialized Memory Exposure", 7 | "credit": [ 8 | "Feross Aboukhadijeh" 9 | ], 10 | "moduleName": "bl", 11 | "language": "js", 12 | "packageManager": "npm", 13 | "id": "npm:bl:20160119", 14 | "packageName": "bl", 15 | "description": "## Overview\n[bl](https://www.npmjs.com/package/bl) is a storage object for collections of Node Buffers.\n\nA possible memory disclosure vulnerability exists when a value of type `number` is provided to the `append()` method and results in concatenation of uninitialized memory to the buffer collection.\n\nThis is a result of unobstructed use of the `Buffer` constructor, whose [insecure default constructor increases the odds of memory leakage](https://snyk.io/blog/exploiting-buffer/).\n\n## Details\nConstructing a `Buffer` class with integer `N` creates a `Buffer` of length `N` with raw (not \"zero-ed\") memory.\n\nIn the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string \"100\":\n```js\n// uninitialized Buffer of length 100\nx = new Buffer(100);\n// initialized Buffer with value of '100'\nx = new Buffer('100');\n```\n\n`bl`'s `append` function uses the default `Buffer` constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous [`Heartbleed`](http://heartbleed.com/) flaw in OpenSSL.\n\n```js\nconst BufferList = require('bl')\n\nvar bl = new BufferList()\nbl.append(new Buffer('abcd'))\nbl.append(new Buffer('efg'))\nbl.append('100')\n// appends a Buffer holding 100 bytes of uninitialized memory\nbl.append(100) \nbl.append(new Buffer('j'))\n```\n\nYou can read more about the insecure `Buffer` behavior [on our blog](https://snyk.io/blog/exploiting-buffer/).\n\nSimilar vulnerabilities were discovered in [request](https://snyk.io/vuln/npm:request:20160119), [mongoose](https://snyk.io/vuln/npm:mongoose:20160116), [ws](https://snyk.io/vuln/npm:ws:20160104) and [sequelize](https://snyk.io/vuln/npm:sequelize:20160115).\n\n## References\n- https://github.com/rvagg/bl/pull/22\n- https://github.com/rvagg/bl/compare/v1.0.0...v1.0.1\n- https://snyk.io/blog/exploiting-buffer/\n", 16 | "semver": { 17 | "vulnerable": "<0.9.5 || 1.0.0", 18 | "unaffected": ">1.0.0 || 0.9.5" 19 | }, 20 | "identifiers": { 21 | "CWE": [ 22 | "CWE-201" 23 | ], 24 | "CVE": [], 25 | "ALTERNATIVE": [ 26 | "SNYK-JS-BL-10138" 27 | ] 28 | }, 29 | "patches": [ 30 | { 31 | "urls": [ 32 | "https://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/master/patches/npm/bl/20160119/bl_20160911_0_0_061279d92f45f4e04f3cb252db3816feb4bc6f33.patch" 33 | ], 34 | "version": "0.9.4 || 1.0.0", 35 | "modificationTime": "2016-09-11T00:00:00.000Z", 36 | "comments": [], 37 | "id": "patch:npm:bl:20160119:0" 38 | } 39 | ], 40 | "cvssScore": 5.1, 41 | "severity": "medium", 42 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 43 | "creationTime": "2016-09-11T17:00:00.000Z", 44 | "modificationTime": "2016-09-11T17:00:00.000Z", 45 | "publicationTime": "2016-09-18T17:00:00.000Z", 46 | "disclosureTime": "2016-01-19T18:58:00.000Z", 47 | "alternativeIds": [ 48 | "SNYK-JS-BL-10138" 49 | ], 50 | "from": [ 51 | "medium-sev-project@1.0.0", 52 | "mosca@2.7.0", 53 | "level-sublevel@6.6.1", 54 | "levelup@0.19.1", 55 | "bl@0.8.2" 56 | ], 57 | "upgradePath": [ 58 | false, 59 | false, 60 | false, 61 | "levelup@1.0.0" 62 | ], 63 | "version": "0.8.2", 64 | "name": "bl", 65 | "isUpgradable": false, 66 | "isPatchable": false, 67 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/level-sublevel/node_modules/bl/package.json", 68 | "parentDepType": "prod" 69 | }, 70 | { 71 | "title": "Regular Expression Denial of Service (ReDoS)", 72 | "credit": [ 73 | "Jamie Davis" 74 | ], 75 | "moduleName": "bson", 76 | "packageName": "bson", 77 | "language": "js", 78 | "packageManager": "npm", 79 | "description": "## Overview\n[`bson`](https://www.npmjs.com/package/bson) is a bson parser for node.js and the browser\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 50K characters long.\n\n## Disclosure Timeline\n* Feb 15th, 2018 - Initial Disclosure to package owner\n* Feb 26th, 2018 - Initial Response from package owner\n* Feb 26th, 2018 - Fix issued\n* Feb 27th, 2018 - Vulnerability published\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `bson` to version 1.0.5 or higher\n\n## References\n- [GitHub Commit](https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a)", 80 | "semver": { 81 | "vulnerable": "<1.0.5", 82 | "unaffected": ">=1.0.5" 83 | }, 84 | "identifiers": { 85 | "CWE": [ 86 | "CWE-185", 87 | "CWE-400" 88 | ], 89 | "CVE": [], 90 | "ALTERNATIVE": [ 91 | "SNYK-JS-BSON-10988" 92 | ] 93 | }, 94 | "patches": [], 95 | "cvssScore": 3.7, 96 | "severity": "low", 97 | "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", 98 | "creationTime": "2018-02-27T13:46:53.813Z", 99 | "modificationTime": "2018-02-27T13:46:53.813Z", 100 | "publicationTime": "2018-02-27T16:32:24.910Z", 101 | "disclosureTime": "2018-02-27T13:46:53.813Z", 102 | "id": "npm:bson:20180225", 103 | "alternativeIds": [ 104 | "SNYK-JS-BSON-10988" 105 | ], 106 | "from": [ 107 | "medium-sev-project@1.0.0", 108 | "mosca@2.7.0", 109 | "ascoltatori@3.2.0", 110 | "mongodb@2.1.21", 111 | "mongodb-core@1.3.21", 112 | "bson@0.4.23" 113 | ], 114 | "upgradePath": [ 115 | false, 116 | "mosca@2.7.0", 117 | "ascoltatori@3.2.0", 118 | "mongodb@2.2.13", 119 | "mongodb-core@2.1.0", 120 | "bson@1.0.5" 121 | ], 122 | "version": "0.4.23", 123 | "name": "bson", 124 | "isUpgradable": true, 125 | "isPatchable": false, 126 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/bson/package.json", 127 | "parentDepType": "prod" 128 | } 129 | ], 130 | "dependencyCount": 398, 131 | "org": "aarlaud-snyk-demo", 132 | "licensesPolicy": { 133 | "severities": { 134 | "MS-RL": "medium", 135 | "EPL-1.0": "medium", 136 | "GPL-2.0": "high", 137 | "GPL-3.0": "high", 138 | "MPL-1.1": "medium", 139 | "MPL-2.0": "medium", 140 | "AGPL-1.0": "high", 141 | "AGPL-3.0": "high", 142 | "CDDL-1.0": "medium", 143 | "LGPL-2.0": "medium", 144 | "LGPL-2.1": "medium", 145 | "LGPL-3.0": "medium", 146 | "CPOL-1.02": "high", 147 | "LGPL-2.1+": "medium", 148 | "LGPL-3.0+": "medium", 149 | "SimPL-2.0": "high", 150 | "Apache-2.0": "medium", 151 | "Artistic-1.0": "medium", 152 | "Artistic-2.0": "medium" 153 | } 154 | }, 155 | "isPrivate": true, 156 | "packageManager": "npm", 157 | "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.10.2\nignore: {}\npatch: {}\n", 158 | "ignoreSettings": null, 159 | "summary": "46 vulnerable dependency paths", 160 | "filesystemPolicy": false, 161 | "filtered": { 162 | "ignore": [], 163 | "patch": [] 164 | }, 165 | "uniqueCount": 17, 166 | "path": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project" 167 | }, 168 | "sample_output_medium_and_upgradable":{ 169 | "ok": false, 170 | "vulnerabilities": [ 171 | ], 172 | "dependencyCount": 398, 173 | "org": "aarlaud-snyk-demo", 174 | "licensesPolicy": { 175 | "severities": { 176 | "MS-RL": "medium", 177 | "EPL-1.0": "medium", 178 | "GPL-2.0": "high", 179 | "GPL-3.0": "high", 180 | "MPL-1.1": "medium", 181 | "MPL-2.0": "medium", 182 | "AGPL-1.0": "high", 183 | "AGPL-3.0": "high", 184 | "CDDL-1.0": "medium", 185 | "LGPL-2.0": "medium", 186 | "LGPL-2.1": "medium", 187 | "LGPL-3.0": "medium", 188 | "CPOL-1.02": "high", 189 | "LGPL-2.1+": "medium", 190 | "LGPL-3.0+": "medium", 191 | "SimPL-2.0": "high", 192 | "Apache-2.0": "medium", 193 | "Artistic-1.0": "medium", 194 | "Artistic-2.0": "medium" 195 | } 196 | }, 197 | "isPrivate": true, 198 | "packageManager": "npm", 199 | "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.10.2\nignore: {}\npatch: {}\n", 200 | "ignoreSettings": null, 201 | "summary": "46 vulnerable dependency paths", 202 | "filesystemPolicy": false, 203 | "filtered": { 204 | "ignore": [], 205 | "patch": [] 206 | }, 207 | "uniqueCount": 17, 208 | "path": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project" 209 | }, 210 | "sample_output_low_and_upgradable":{ 211 | "ok": false, 212 | "vulnerabilities": [ 213 | { 214 | "title": "Regular Expression Denial of Service (ReDoS)", 215 | "credit": [ 216 | "Jamie Davis" 217 | ], 218 | "moduleName": "bson", 219 | "packageName": "bson", 220 | "language": "js", 221 | "packageManager": "npm", 222 | "description": "## Overview\n[`bson`](https://www.npmjs.com/package/bson) is a bson parser for node.js and the browser\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 50K characters long.\n\n## Disclosure Timeline\n* Feb 15th, 2018 - Initial Disclosure to package owner\n* Feb 26th, 2018 - Initial Response from package owner\n* Feb 26th, 2018 - Fix issued\n* Feb 27th, 2018 - Vulnerability published\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.\n\nThe Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.\n\nLet’s take the following regular expression as an example:\n```js\nregex = /A(B|C+)+D/\n```\n\nThis regular expression accomplishes the following:\n- `A` The string must start with the letter 'A'\n- `(B|C+)+` The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the `+` matches one or more times). The `+` at the end of this section states that we can look for one or more matches of this section.\n- `D` Finally, we ensure this section of the string ends with a 'D'\n\nThe expression would match inputs such as `ABBD`, `ABCCCCD`, `ABCBCCCD` and `ACCCCCD`\n\nIt most cases, it doesn't take very long for a regex engine to find a match:\n\n```bash\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD\")'\n0.04s user 0.01s system 95% cpu 0.052 total\n\n$ time node -e '/A(B|C+)+D/.test(\"ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX\")'\n1.79s user 0.02s system 99% cpu 1.812 total\n```\n\nThe entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.\n\nMost Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as _catastrophic backtracking_.\n\nLet's look at how our expression runs into this problem, using a shorter string: \"ACCCX\". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:\n1. CCC\n2. CC+C\n3. C+CC\n4. C+C+C.\n\nThe engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use [RegEx 101 debugger](https://regex101.com/debugger) to see the engine has to take a total of 38 steps before it can determine the string doesn't match.\n\nFrom there, the number of steps the engine must use to validate a string just continues to grow.\n\n| String | Number of C's | Number of steps |\n| -------|-------------:| -----:|\n| ACCCX | 3 | 38\n| ACCCCX | 4 | 71\n| ACCCCCX | 5 | 136\n| ACCCCCCCCCCCCCCX | 14 | 65,553\n\nBy the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.\n\n## Remediation\nUpgrade `bson` to version 1.0.5 or higher\n\n## References\n- [GitHub Commit](https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a)", 223 | "semver": { 224 | "vulnerable": "<1.0.5", 225 | "unaffected": ">=1.0.5" 226 | }, 227 | "identifiers": { 228 | "CWE": [ 229 | "CWE-185", 230 | "CWE-400" 231 | ], 232 | "CVE": [], 233 | "ALTERNATIVE": [ 234 | "SNYK-JS-BSON-10988" 235 | ] 236 | }, 237 | "patches": [], 238 | "cvssScore": 3.7, 239 | "severity": "low", 240 | "CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", 241 | "creationTime": "2018-02-27T13:46:53.813Z", 242 | "modificationTime": "2018-02-27T13:46:53.813Z", 243 | "publicationTime": "2018-02-27T16:32:24.910Z", 244 | "disclosureTime": "2018-02-27T13:46:53.813Z", 245 | "id": "npm:bson:20180225", 246 | "alternativeIds": [ 247 | "SNYK-JS-BSON-10988" 248 | ], 249 | "from": [ 250 | "medium-sev-project@1.0.0", 251 | "mosca@2.7.0", 252 | "ascoltatori@3.2.0", 253 | "mongodb@2.1.21", 254 | "mongodb-core@1.3.21", 255 | "bson@0.4.23" 256 | ], 257 | "upgradePath": [ 258 | false, 259 | "mosca@2.7.0", 260 | "ascoltatori@3.2.0", 261 | "mongodb@2.2.13", 262 | "mongodb-core@2.1.0", 263 | "bson@1.0.5" 264 | ], 265 | "version": "0.4.23", 266 | "name": "bson", 267 | "isUpgradable": true, 268 | "isPatchable": false, 269 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/bson/package.json", 270 | "parentDepType": "prod" 271 | } 272 | ], 273 | "dependencyCount": 398, 274 | "org": "aarlaud-snyk-demo", 275 | "licensesPolicy": { 276 | "severities": { 277 | "MS-RL": "medium", 278 | "EPL-1.0": "medium", 279 | "GPL-2.0": "high", 280 | "GPL-3.0": "high", 281 | "MPL-1.1": "medium", 282 | "MPL-2.0": "medium", 283 | "AGPL-1.0": "high", 284 | "AGPL-3.0": "high", 285 | "CDDL-1.0": "medium", 286 | "LGPL-2.0": "medium", 287 | "LGPL-2.1": "medium", 288 | "LGPL-3.0": "medium", 289 | "CPOL-1.02": "high", 290 | "LGPL-2.1+": "medium", 291 | "LGPL-3.0+": "medium", 292 | "SimPL-2.0": "high", 293 | "Apache-2.0": "medium", 294 | "Artistic-1.0": "medium", 295 | "Artistic-2.0": "medium" 296 | } 297 | }, 298 | "isPrivate": true, 299 | "packageManager": "npm", 300 | "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.10.2\nignore: {}\npatch: {}\n", 301 | "ignoreSettings": null, 302 | "summary": "46 vulnerable dependency paths", 303 | "filesystemPolicy": false, 304 | "filtered": { 305 | "ignore": [], 306 | "patch": [] 307 | }, 308 | "uniqueCount": 17, 309 | "path": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project" 310 | }, 311 | "sample_output_low_and_non_upgradable":{ 312 | "ok": false, 313 | "vulnerabilities": [ 314 | ], 315 | "dependencyCount": 398, 316 | "org": "aarlaud-snyk-demo", 317 | "licensesPolicy": { 318 | "severities": { 319 | "MS-RL": "medium", 320 | "EPL-1.0": "medium", 321 | "GPL-2.0": "high", 322 | "GPL-3.0": "high", 323 | "MPL-1.1": "medium", 324 | "MPL-2.0": "medium", 325 | "AGPL-1.0": "high", 326 | "AGPL-3.0": "high", 327 | "CDDL-1.0": "medium", 328 | "LGPL-2.0": "medium", 329 | "LGPL-2.1": "medium", 330 | "LGPL-3.0": "medium", 331 | "CPOL-1.02": "high", 332 | "LGPL-2.1+": "medium", 333 | "LGPL-3.0+": "medium", 334 | "SimPL-2.0": "high", 335 | "Apache-2.0": "medium", 336 | "Artistic-1.0": "medium", 337 | "Artistic-2.0": "medium" 338 | } 339 | }, 340 | "isPrivate": true, 341 | "packageManager": "npm", 342 | "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.10.2\nignore: {}\npatch: {}\n", 343 | "ignoreSettings": null, 344 | "summary": "46 vulnerable dependency paths", 345 | "filesystemPolicy": false, 346 | "filtered": { 347 | "ignore": [], 348 | "patch": [] 349 | }, 350 | "uniqueCount": 17, 351 | "path": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project" 352 | }, 353 | "sample_output_medium_and_non_upgradable":{ 354 | "ok": false, 355 | "vulnerabilities": [ 356 | { 357 | "title": "Uninitialized Memory Exposure", 358 | "credit": [ 359 | "Feross Aboukhadijeh" 360 | ], 361 | "moduleName": "bl", 362 | "language": "js", 363 | "packageManager": "npm", 364 | "id": "npm:bl:20160119", 365 | "packageName": "bl", 366 | "description": "## Overview\n[bl](https://www.npmjs.com/package/bl) is a storage object for collections of Node Buffers.\n\nA possible memory disclosure vulnerability exists when a value of type `number` is provided to the `append()` method and results in concatenation of uninitialized memory to the buffer collection.\n\nThis is a result of unobstructed use of the `Buffer` constructor, whose [insecure default constructor increases the odds of memory leakage](https://snyk.io/blog/exploiting-buffer/).\n\n## Details\nConstructing a `Buffer` class with integer `N` creates a `Buffer` of length `N` with raw (not \"zero-ed\") memory.\n\nIn the following example, the first call would allocate 100 bytes of memory, while the second example will allocate the memory needed for the string \"100\":\n```js\n// uninitialized Buffer of length 100\nx = new Buffer(100);\n// initialized Buffer with value of '100'\nx = new Buffer('100');\n```\n\n`bl`'s `append` function uses the default `Buffer` constructor as-is, making it easy to append uninitialized memory to an existing list. If the value of the buffer list is exposed to users, it may expose raw server side memory, potentially holding secrets, private data and code. This is a similar vulnerability to the infamous [`Heartbleed`](http://heartbleed.com/) flaw in OpenSSL.\n\n```js\nconst BufferList = require('bl')\n\nvar bl = new BufferList()\nbl.append(new Buffer('abcd'))\nbl.append(new Buffer('efg'))\nbl.append('100')\n// appends a Buffer holding 100 bytes of uninitialized memory\nbl.append(100) \nbl.append(new Buffer('j'))\n```\n\nYou can read more about the insecure `Buffer` behavior [on our blog](https://snyk.io/blog/exploiting-buffer/).\n\nSimilar vulnerabilities were discovered in [request](https://snyk.io/vuln/npm:request:20160119), [mongoose](https://snyk.io/vuln/npm:mongoose:20160116), [ws](https://snyk.io/vuln/npm:ws:20160104) and [sequelize](https://snyk.io/vuln/npm:sequelize:20160115).\n\n## References\n- https://github.com/rvagg/bl/pull/22\n- https://github.com/rvagg/bl/compare/v1.0.0...v1.0.1\n- https://snyk.io/blog/exploiting-buffer/\n", 367 | "semver": { 368 | "vulnerable": "<0.9.5 || 1.0.0", 369 | "unaffected": ">1.0.0 || 0.9.5" 370 | }, 371 | "identifiers": { 372 | "CWE": [ 373 | "CWE-201" 374 | ], 375 | "CVE": [], 376 | "ALTERNATIVE": [ 377 | "SNYK-JS-BL-10138" 378 | ] 379 | }, 380 | "patches": [ 381 | { 382 | "urls": [ 383 | "https://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/master/patches/npm/bl/20160119/bl_20160911_0_0_061279d92f45f4e04f3cb252db3816feb4bc6f33.patch" 384 | ], 385 | "version": "0.9.4 || 1.0.0", 386 | "modificationTime": "2016-09-11T00:00:00.000Z", 387 | "comments": [], 388 | "id": "patch:npm:bl:20160119:0" 389 | } 390 | ], 391 | "cvssScore": 5.1, 392 | "severity": "medium", 393 | "CVSSv3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 394 | "creationTime": "2016-09-11T17:00:00.000Z", 395 | "modificationTime": "2016-09-11T17:00:00.000Z", 396 | "publicationTime": "2016-09-18T17:00:00.000Z", 397 | "disclosureTime": "2016-01-19T18:58:00.000Z", 398 | "alternativeIds": [ 399 | "SNYK-JS-BL-10138" 400 | ], 401 | "from": [ 402 | "medium-sev-project@1.0.0", 403 | "mosca@2.7.0", 404 | "level-sublevel@6.6.1", 405 | "levelup@0.19.1", 406 | "bl@0.8.2" 407 | ], 408 | "upgradePath": [ 409 | false, 410 | false, 411 | false, 412 | "levelup@1.0.0" 413 | ], 414 | "version": "0.8.2", 415 | "name": "bl", 416 | "isUpgradable": false, 417 | "isPatchable": false, 418 | "__filename": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project/node_modules/level-sublevel/node_modules/bl/package.json", 419 | "parentDepType": "prod" 420 | } 421 | ], 422 | "dependencyCount": 398, 423 | "org": "aarlaud-snyk-demo", 424 | "licensesPolicy": { 425 | "severities": { 426 | "MS-RL": "medium", 427 | "EPL-1.0": "medium", 428 | "GPL-2.0": "high", 429 | "GPL-3.0": "high", 430 | "MPL-1.1": "medium", 431 | "MPL-2.0": "medium", 432 | "AGPL-1.0": "high", 433 | "AGPL-3.0": "high", 434 | "CDDL-1.0": "medium", 435 | "LGPL-2.0": "medium", 436 | "LGPL-2.1": "medium", 437 | "LGPL-3.0": "medium", 438 | "CPOL-1.02": "high", 439 | "LGPL-2.1+": "medium", 440 | "LGPL-3.0+": "medium", 441 | "SimPL-2.0": "high", 442 | "Apache-2.0": "medium", 443 | "Artistic-1.0": "medium", 444 | "Artistic-2.0": "medium" 445 | } 446 | }, 447 | "isPrivate": true, 448 | "packageManager": "npm", 449 | "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.10.2\nignore: {}\npatch: {}\n", 450 | "ignoreSettings": null, 451 | "summary": "46 vulnerable dependency paths", 452 | "filesystemPolicy": false, 453 | "filtered": { 454 | "ignore": [], 455 | "patch": [] 456 | }, 457 | "uniqueCount": 17, 458 | "path": "/Users/antoine/Documents/SnykSB/trash/medium-sev-project" 459 | } 460 | } 461 | -------------------------------------------------------------------------------- /tests/test.js: -------------------------------------------------------------------------------- 1 | var assert = require("assert"); 2 | var _ = require("lodash"); 3 | 4 | var snykFilter = require("../lib/snyk-filter.js"); 5 | var filterFixtures = require("./fixtures/test_filters.json"); 6 | var resultFixtures = require("./fixtures/test_results.json"); 7 | 8 | describe("Filtering", function () { 9 | it("Filter only medium and upgradable", function (done) { 10 | snykFilter 11 | .filter( 12 | resultFixtures.sample_input, 13 | filterFixtures.filters.medium_and_upgradable 14 | ) 15 | .then((res) => { 16 | if ( 17 | _.isEqual(res, resultFixtures.sample_output_medium_and_upgradable) 18 | ) { 19 | done(); 20 | } else { 21 | done("filtered results do not match expected results"); 22 | } 23 | }) 24 | .catch((err) => { 25 | done(err); 26 | }); 27 | }); 28 | 29 | it("Filter only low and upgradable", function (done) { 30 | snykFilter 31 | .filter( 32 | resultFixtures.sample_input, 33 | filterFixtures.filters.low_and_upgradable 34 | ) 35 | .then((res) => { 36 | if (_.isEqual(res, resultFixtures.sample_output_low_and_upgradable)) { 37 | done(); 38 | } else { 39 | done("filtered results do not match expected results"); 40 | } 41 | }) 42 | .catch((err) => { 43 | done(err); 44 | }); 45 | }); 46 | 47 | it("Filter only low and non upgradable", function (done) { 48 | snykFilter 49 | .filter( 50 | resultFixtures.sample_input, 51 | filterFixtures.filters.low_and_non_upgradable 52 | ) 53 | .then((res) => { 54 | if ( 55 | _.isEqual(res, resultFixtures.sample_output_low_and_non_upgradable) 56 | ) { 57 | done(); 58 | } else { 59 | done("filtered results do not match expected results"); 60 | } 61 | }) 62 | .catch((err) => { 63 | done(err); 64 | }); 65 | }); 66 | 67 | it("Filter only medium and non upgradable", function (done) { 68 | snykFilter 69 | .filter( 70 | resultFixtures.sample_input, 71 | filterFixtures.filters.medium_and_non_upgradable 72 | ) 73 | .then((res) => { 74 | if ( 75 | _.isEqual(res, resultFixtures.sample_output_medium_and_non_upgradable) 76 | ) { 77 | done(); 78 | } else { 79 | done("filtered results do not match expected results"); 80 | } 81 | }) 82 | .catch((err) => { 83 | done(err); 84 | }); 85 | }); 86 | }); 87 | 88 | describe("Passing", function () { 89 | it("Pass only if no medium and upgradable - Pass Expected", function (done) { 90 | snykFilter 91 | .pass( 92 | resultFixtures.sample_input, 93 | filterFixtures.passFilters.medium_and_upgradable, 94 | filterFixtures.failMessages.medium_and_upgradable 95 | ) 96 | .then((res) => { 97 | if (res) { 98 | done(); 99 | } else { 100 | done(res); 101 | } 102 | }) 103 | .catch((err) => { 104 | done(err); 105 | }); 106 | }); 107 | 108 | it("Pass only if no low and upgradable - Break Expected", function (done) { 109 | snykFilter 110 | .pass( 111 | resultFixtures.sample_input, 112 | filterFixtures.passFilters.low_and_upgradable, 113 | filterFixtures.failMessages.low_and_upgradable 114 | ) 115 | .then((res) => { 116 | if (res) { 117 | done(); 118 | } else { 119 | done(res); 120 | } 121 | }) 122 | .catch((err) => { 123 | // Test 124 | done(); 125 | }); 126 | }); 127 | 128 | it("Pass only if no low and non upgradable - Pass Expected", function (done) { 129 | snykFilter 130 | .pass( 131 | resultFixtures.sample_input, 132 | filterFixtures.passFilters.low_and_non_upgradable, 133 | filterFixtures.failMessages.low_and_non_upgradable 134 | ) 135 | .then((res) => { 136 | if (res) { 137 | done(); 138 | } else { 139 | done(res); 140 | } 141 | }) 142 | .catch((err) => { 143 | done(err); 144 | }); 145 | }); 146 | 147 | it("Pass only if no medium and non upgradable - Break Expected", function (done) { 148 | snykFilter 149 | .pass( 150 | resultFixtures.sample_input, 151 | filterFixtures.passFilters.medium_and_non_upgradable, 152 | filterFixtures.failMessages.medium_and_non_upgradable 153 | ) 154 | .then((res) => { 155 | if (res) { 156 | done(); 157 | } else { 158 | done(res); 159 | } 160 | }) 161 | .catch((err) => { 162 | done(); 163 | }); 164 | }); 165 | }); 166 | --------------------------------------------------------------------------------