Comments (3)
prabhu
commented on June 12, 2024
The result from npm remote audit has 0 as the score and None as the cvss vectorString
{
'actions': [
{
'isMajor': False,
'action': 'install',
'resolves': [
{
'id': 1094652,
'path': 'zod',
'dev': False,
'optional': False,
'bundled': False
}
],
'module': 'zod',
'target': '3.22.4'
}
],
'advisories': {
'1094652': {
'findings': [
{
'version': '3.22.1',
'paths': [
'zod'
]
}
],
'metadata': None,
'vulnerable_versions': '<=3.22.2',
'module_name': 'zod',
'severity': 'low',
'github_advisory_id': 'GHSA-m95q-7qp3-xv42',
'cves': [
'CVE-2023-4316'
],
'access': 'public',
'patched_versions': '>=3.22.3',
'cvss': {
'score': 0,
'vectorString': None
},
'updated': '2023-11-07T05:02:00.000Z',
'recommendation': 'Upgrade to version 3.22.3 or later',
'cwe': [
'CWE-1333'
],
'found_by': None,
'deleted': None,
'id': 1094652,
'references': '- https://nvd.nist.gov/vuln/detail/CVE-2023-4316\n- https://www.npmjs.com/package/zod\n- https://github.com/colinhacks/zod/issues/2609\n- https://github.com/colinhacks/zod/pull/2824\n- https://github.com/colinhacks/zod/commit/2ba00fe2377f4d53947a84b8cdb314a63bbd6dd4\n- https://github.com/colinhacks/zod/releases/tag/v3.22.3\n- https://github.com/advisories/GHSA-m95q-7qp3-xv42',
'created': '2023-09-28T21:30:58.000Z',
'reported_by': None,
'title': 'Zod denial of service vulnerability',
'npm_advisory_id': None,
'overview': 'Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.\n\n\n\n',
'url': 'https://github.com/advisories/GHSA-m95q-7qp3-xv42'
}
},
'muted': [
],
'metadata': {
'vulnerabilities': {
'info': 0,
'low': 1,
'moderate': 0,
'high': 0,
'critical': 0
},
'dependencies': 1,
'devDependencies': 0,
'optionalDependencies': 0,
'totalDependencies': 1
}
}
from dep-scan.
prabhu
commented on June 12, 2024
With the new vdb version, we get 2.0 matching the value with a direct vdb search.
Dependency Scan Results (NPM)
╔════════════════════════════════════════════════════════════╤═════════════════════╤════════════════════════════╤═════════════════════╤══════════════╗
║ CVE │ Insights │ Fix Version │ Severity │ Score ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ [email protected] ⬅ CVE-2023-4316 │ │ 3.22.3 │ LOW │ 2.0 ║
╚════════════════════════════════════════════════════════════╧═════════════════════╧════════════════════════════╧═════════════════════╧══════════════╝
from dep-scan.
prabhu
commented on June 12, 2024
5.2.10 includes the fix.
from dep-scan.
Related Issues (20)
- Feature: 1. more complete report in json and cyclonedx-json. 2. error when get sbom from trivy or syft. HOT 6
- Bug: cvss score for pypi vulnerabilities are incorrect HOT 1
- Bug: Pypi misses
- Feature: nu plugin
- Feature: pyproject.nix poc
- Feature: Support for nix packages
- [v6] Support for cpe based searches
- [v6] Prefer xz vdb over rafs
- Feature: VDB update frequency information HOT 2
- False-Positive: CVE-2020-14343 HOT 9
- False-Positive: CVE-2021-39913 HOT 7
- [FN] CVE-2023-5590 is not reported for [email protected] HOT 1
- False-Positive: I raised the topic on discord. I compared the DT, Depscan, and Grype analyzers. The results are presented in the table. I think it will be useful for correcting the quality of the analysis. HOT 1
- [dotnet] Runtime components naming
- [cdxgen 10.3.x] Breaking changes in cdxgen for go and npm HOT 1
- cargo:http is yielding a lot of false positives
- Bug: Reachability scan fails HOT 3
- [risk-audit] Detect use of Trusted publisher
- [container] almalinux 9.3 builds are broken
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dep-scan.