Bug: vulnarability scan of mage (1.13.0) showing CVE-2020-11023 present

Question

Bug: vulnarability scan of mage (1.13.0) showing CVE-2020-11023 present

WheeskyJack opened this issue 2 years ago · comments

Bug Description
Hi, I recently upgraded mage pkg to 1.13.0. As a part of process, Whitesource vulnerability scan was run on the project.
It showed mage having CVE-2020-11023 issue. I am creating this issue to understand if this is really a risk and if any fix available for the same.

What did you do?
get the mage package version 1.13.0 and run security scan

What did you expect to happen?
no security threats present

What actually happened?
vulnerability was found as a result of scan

Environment

Mage Version: 1.13.0
OS: Mac

WheeskyJack · Answer 1 · Fri Jun 17 2022 18:55:16 GMT+0800 (China Standard Time)

suggested fix by scan was : Upgrade to version jquery - 3.5.0;jquery-rails - 4.4.0

Benjamin Cable · Answer 2 · Fri Jun 17 2022 19:38:30 GMT+0800 (China Standard Time)

Hello @WheeskyJack, this is not immediately risky. jQuery is only used for the website portion of Mage, and not anywhere in the actual tool.

WheeskyJack · Answer 3 · Mon Jun 20 2022 15:54:35 GMT+0800 (China Standard Time)

Thank you! Also, is there any plan to fix this?

Benjamin Cable · Answer 4 · Mon Jun 20 2022 16:13:29 GMT+0800 (China Standard Time)

Sure! I'll see about proposing the recommended upgrades :)

WheeskyJack · Answer 5 · Mon Jun 20 2022 18:30:25 GMT+0800 (China Standard Time)

Thank you.

Jesús Espino · Answer 6 · Fri Aug 05 2022 16:36:00 GMT+0800 (China Standard Time)

@natefinch If you see value in it, I can try to upgrade the hugo template respecting the original changes (It is not going to be super easy, but I think is not that hard). That would upgrade to the jquery 3.3.1 instead of 2.x, and also is going to upgrade other libraries.

Nate Finch · Answer 7 · Fri Aug 05 2022 23:46:13 GMT+0800 (China Standard Time)

I would love that, thank you!

WheeskyJack · Answer 8 · Mon Aug 08 2022 12:37:50 GMT+0800 (China Standard Time)

scan report for the reference

Jesús Espino · Answer 9 · Mon Aug 08 2022 17:10:50 GMT+0800 (China Standard Time)

Thanks @WheeskyJack, this is very useful, I can upgrade the theme, and the upgrade jquery in it to the newest 3.X version. Also, would be great to also create a ticket for the upstream theme repo here: https://github.com/matcornic/hugo-theme-learn

Jesús Espino · Answer 10 · Mon Aug 08 2022 17:12:24 GMT+0800 (China Standard Time)

nevermind, this is already reported and there is already a PR for that. I think I have to do the upgrade manually in this repo.

WheeskyJack · Answer 11 · Mon Nov 07 2022 18:47:27 GMT+0800 (China Standard Time)

is the issue fixed in 1.14.0?

Kyle Dennison · Answer 12 · Wed May 10 2023 03:29:05 GMT+0800 (China Standard Time)

@jespino would it be possible to move the site/* directory into a separate repo? It sounds from this thread like the code in that directory is unrelated to the tool itself but is instead the source for https://magefile.org/. However, I'm not sure that
security scanning tools will be able to discern that automatically, so I think the next best thing would be to separate the tool from the site.

Nate Finch · Answer 13 · Wed May 10 2023 08:41:12 GMT+0800 (China Standard Time)

We can probably move the site to a separate repo. The reason it is in the same repo is to make it easy to update the site to go with changes to the tool. But really, I don't think it's super important at this point, since there aren't a ton of large changes going on.