[
https://issues.apache.org/jira/browse/SENSSOFT-321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16741431#comment-16741431
]
Joshua Poore commented on SENSSOFT-321:
---------------------------------------
Fix also corrects MASTER, which has an older build of UserALEjs, see below:
Audit reveals Mocha is no longer an issue
{code:java}
npm audit
=== npm audit security report ===
# Run npm install --save-dev [email protected] to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp > vinyl-fs > glob-watcher > gaze > globule > lodash
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577
│
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp > vinyl-fs > glob-stream > glob > minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118
│
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp > vinyl-fs > glob-stream > minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118
│
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp > vinyl-fs > glob-watcher > gaze > globule > glob >
│ │ │ minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118
│
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch
│
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118
│
└───────────────┴──────────────────────────────────────────────────────────────┘
found 5 vulnerabilities (1 low, 4 high) in 6062 scanned packages 5
vulnerabilities require semver-major dependency updates.
{code}
Tests Run
{code:java}
$ npm run test
> [email protected] pretest
> /Users/jpoore/Documents/Apache_SensSoft/Test/incubator-senssoft-useralejs-master
> gulp lint
[19:39:18] Using gulpfile
~/Documents/Apache_SensSoft/Test/incubator-senssoft-useralejs-master/gulpfile.js
[19:39:18] Starting 'lint'...
[19:39:18] Finished 'lint' after 292 ms
> [email protected] test
> /Users/jpoore/Documents/Apache_SensSoft/Test/incubator-senssoft-useralejs-master
> gulp test
[19:39:19] Using gulpfile
~/Documents/Apache_SensSoft/Test/incubator-senssoft-useralejs-master/gulpfile.js
[19:39:19] Starting 'rollup'...
[19:39:19] Starting 'lint'...
[19:39:19] Finished 'rollup' after 95 ms
[19:39:19] Starting 'build'...
[19:39:20] Finished 'lint' after 481 ms
[19:39:20] Finished 'build' after 388 ms
[19:39:20] Starting 'test'...
(node:1165) DeprecationWarning: "--compilers" will be removed in a future
version of Mocha; see https://git.io/vdcSr for more info
attachHandlers
✓ attaches all the event handlers without duplicates
✓ debounces bufferedEvents (504ms)
defineDetails
- configures high detail events correctly
configure
✓ merges new configs into main config object
✓ includes a userid if present in the window.location
getUserIdFromParams
✓ fetches userId from URL params
✓ returns null if no matching param
getInitialSettings
timeStampScale
✓ no event.timestamp
✓ zero
✓ epoch milliseconds
✓ epoch microseconds
✓ performance navigation time
getInitialSettings
✓ fetches all settings from a script tag (103ms)
✓ grabs user id from params
Userale API
✓ provides configs
✓ edits configs
✓ starts + stops (214ms)
✓ sends custom logs
packageLogs
packageLog
✓ only executes if on
✓ calls detailFcn with the event as an argument if provided
✓ packages logs
getLocation
✓ returns event page location
✓ calculates page location if unavailable
✓ fails to null
selectorizePath
✓ returns a new array of the same length provided
getSelector
✓ builds a selector
✓ identifies window
✓ handles a non-null unknown value
buildPath
✓ builds a path
✓ defaults to path if available
sendLogs
✓ sends logs on an interval
✓ sends logs on page exit with navigator
✓ sends logs on page exit without navigator
32 passing (936ms)
1 pending
[19:39:23] Finished 'test' after 2.95 s
{code}
> Gulp Mocha Dependency Deprecation: Critical Command Injection Vulnerability
> ---------------------------------------------------------------------------
>
> Key: SENSSOFT-321
> URL: https://issues.apache.org/jira/browse/SENSSOFT-321
> Project: SensSoft
> Issue Type: Bug
> Components: UserALE.js
> Affects Versions: UserALE.js 1.0.0, UserALE.js 1.1.0
> Environment: javascript
> Reporter: Joshua Poore
> Assignee: Joshua Poore
> Priority: Critical
> Fix For: UserALE.js 1.1.0
>
> Attachments: Gulp Mocha Vulnerability
>
>
> Gulp Mocha v3.x has a critical vulnerability (see attached terminal output
> for details) due to "growl" package dependency. Vulnerability must be fixed
> before deployed on a network with any exposure.
> Running NPM/Node v 11.6
> Will post in comments as issue is explored.
>
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
