Up-to-date moment.js library is reported for an old vulnerability
danatemple opened this issue · comments
Describe the bug
We are running with moment.js 2.30.1, but ZAProxy reports old vulnerabilities as a problem.
The report lists these as sources, which as can be seen are quite old:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18214
https://security.snyk.io/vuln/npm:moment:20170905
https://security.snyk.io/vuln/npm:moment:20161019
Fix was at moment.js 2.19.3 acc to the mitre.org link.
Steps to reproduce the behavior
Run ZAProxy on a HTML page that loads the newest moment.js library.
Expected behavior
Not to report this as a vulnerability.
Software versions
Docker image ID 5c7d5356b7d8
ZAP
Version: 2.14.0
Installed Add-ons: [[id=alertFilters, version=19.0.0],
[id=ascanrules, version=63.0.0], [id=authhelper,
version=0.12.0], [id=automation, version=0.35.0],
[id=bruteforce, version=15.0.0], [id=callhome,
version=0.10.0], [id=commonlib, version=1.22.0],
[id=database, version=0.3.0], [id=diff, version=14.0.0],
[id=directorylistv1, version=7.0.0], [id=domxss,
version=18.0.0], [id=encoder, version=1.4.0], [id=exim,
version=0.8.0], [id=formhandler, version=6.5.0], [id=fuzz,
version=13.12.0], [id=gettingStarted, version=16.0.0],
[id=graaljs, version=0.5.0], [id=graphql, version=0.23.0],
[id=help, version=17.0.0], [id=hud, version=0.18.0],
[id=invoke, version=14.0.0], [id=network, version=0.14.0],
[id=oast, version=0.17.0], [id=onlineMenu, version=12.0.0],
[id=openapi, version=39.0.0], [id=postman, version=0.2.0],
[id=pscanrules, version=56.0.0], [id=quickstart,
version=43.0.0], [id=replacer, version=16.0.0], [id=reports,
version=0.29.0], [id=requester, version=7.4.0], [id=retest,
version=0.8.0], [id=retire, version=0.32.0], [id=reveal,
version=7.0.0], [id=scripts, version=45.0.0], [id=selenium,
version=15.19.0], [id=soap, version=21.0.0], [id=spider,
version=0.10.0], [id=spiderAjax, version=23.18.0], [id=tips,
version=12.0.0], [id=webdriverlinux, version=73.0.0],
[id=websocket, version=30.0.0], [id=zest, version=43.0.0]]
Operating System: Linux
Architecture: amd64
Java Version: Debian 11.0.22
System's Locale: en
Display Locale: en_GB
Format Locale: en
Default Charset: UTF-8
ZAP Home Directory: /home/zap/.ZAP/
ZAP Installation Directory: /zap/./
Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)
Screenshots
Errors from the zap.log file
No response
Additional context
No response
Would you like to help fix this issue?
- Yes
For info ZAP uses date from Retire.js so the bug could be in our code or their data https://retirejs.github.io/retire.js/
Their information on their website looks to be up to date - in fact, they list later vulnerabilities than ZAProxy does.
It doesn't say in the report what version has been detected. I'm new to this, not sure quite what to expect.
Looks like it extracted the version as 7a06f256.
Looks like it extracted the version as
7a06f256.
That's just the cache-busting part of the filename as generated by Webpack in the bundling process. Has nothing to do with the version of moment.js - except indirectly.
If that's what it's using to derive the version then I can see that would cause a problem. But still odd how it thinks the version is somewhere between 2.19.3 and 2.29.4, given the vulnerabilities that get flagged.
It looks like one of these is causing the improper extraction of the version: https://github.com/RetireJS/retire.js/blob/efa193364a3c0d657471083c56835ecd180b2688/repository/jsrepository.json#L4711-L4717 (Edit, actually only the "file" one I guess.)
I'll see if we can work around this or upstream a fix. I might be able to tackle this today or tomorrow, but there's a chance I won't get to for 1.5wks.
Edit: Per here it seems moment versions are just numbers and periods.
Proposal: tweak/refine VERSION_SUB_PATTERN in Extractors.VersionConverter:
- Shouldn't be lazy (drop the trailing question mark)
- Shouldn't include
a-z, hyphen, or underscore in the pattern. (The designators alpha, beta, rc, etc aren't handled anyway). - Should include a period, underscore, or hyphen after the first number (1st number length 1-3).
- Or be
999or '0' which seem to be a special cases in retire.js for (basically all versions impacted).
Currently [0-9][0-9a-z._\\-]+? proposed [0-9]{1,3}(?:[._-][0-9]{1,3})+|999|^0$
Online tester:
https://www.regexplanet.com/cookbook/ahJzfnJlZ2V4cGxhbmV0LWhyZHNyEwsSBlJlY2lwZRiAgID6x5eXCww/index.html
(Click "Java")
Caveats:
1) This misses the existing 7 cases that are "atOrAbove": "0". We could add this to version converter and translate to below 999? [I'd have to have a better look at why they were done this way.]
2) There are currently no entries that use date stamped versioning. [Might be a future consideration.]
3) If we want to be more specific these alpha strings appear present in the version fields within the file:
beta
canary
next
rc
b
RC
alpha
including just "b" is problematic but the others should be largely fine if we wanted to turn that into a set of ORs in the regex.
grep "atOrAbove" jsrepository.json; grep "below" jsrepository.json
I did more work/testing on this today. I think I've found a pattern that works in the majority of cases so I'll open a PR.