Giters

marcopixel / r6operators

r6operators is a collection of high-quality vectorized Rainbow Six: Siege Operator icons & metadata for Node.js

Home Page:https://r6operators.marcopixel.eu

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

OSCS

derkrasseleo opened this issue · comments

commented

I just got an email telling me there's a security risk in this repo. I am not sure if this is spam or if it's really relevant but here's the email:

I translated it because it was written in chinese:

The open source security community OSCS includes your project marcopixel/r6operators, detects and finds security risks

Hello leochras

I'm ren_jq, a security expert in the OSCS community. I recently noticed your open source project marcopixel/r6operators on GitHub and found some security flaws in the project through the OSCS community security tools, so I created a community team to try to help improve the security of the open source project.

I found that you are a contributor to the marcopixel/r6operators project, so I took the liberty to share the security report with you, and if you are interested, you can also join us to focus on the security of the project.
View the detailed test report
If the button is not clickable, please copy the link to your computer browser to open: https://www.murphysec.com/accept?code=ba3c5425b5df2bb5ce699d791ebb9ef0&type=1&from=2&t=1
Temporarily not concerned, choose to ignore

Inspection results provided by Murphy Security, a professional code security inspection tool
Murphy Security is the technical support unit of the National Security Vulnerability Database (CNNVD) and has passed ISO9001, ISO27001, CCRC and other authoritative certifications. Murphy Security has been used by 700 companies such as Ant Group, Ping An and Meituan, and is also loved by over 10,000+ developers
With an overview of the test results of marcopixel/r6operators:

Introduced components and licenses: 534 components, 10 types of related licenses
Vulnerable components: 1
Risky licenses: 0 categories

Details of some defective components:
Flawed component: json5 - Indirect Dependencies

Vulnerability Title: Tauri Security Vulnerability
Impact Description: Tauri is a Tauri open source for building smaller, faster, and more secure desktop applications using a web front end. A security vulnerability exists in Tauri version 2.2.1 and earlier, which stems from the parse method not restricting the parsing of keys named "__proto__", thus allowing specially crafted string contamination to generate prototypes of objects.
CVE number: CVE-2022-46175
National Vulnerability Repository Information.
Impact Range:: (-∞, 2.2.2)
Minimum fix version: 2.2.2
Component introduction path: package-lock.json -> jest@29.3.1 -> jest-cli@29.3.1 -> @jest/core@29.3.1 -> jest-snapshot@29.3.1 -> @babel/core@7.20.5 -> json5@2.2.1
Vulnerability details: https://www.oscs1024.com/hd/MPS-2022-65568

Yours sincerely, OSCS Security Community

Good luck and happy life!

commented

@leochras

This seems to be regarding the Jest testing dependency, which isn't bundled within the distributed library code and only used in development.

So you can safely disregard that message for now - i'm always trying to keep the dependencies up-to-date and i'm updating those before each new release (ad7ae7b, ecb55b5, df7491b) so you should be fine.

commented

Perfect, as I said, just wanted to let you know