Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Bug: https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0 #123

Closed
anuragpathak2608 opened this issue Oct 9, 2020 · 8 comments
Labels
bug Something isn't working

Comments

@anuragpathak2608
Copy link

Vulnerability URL
https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0

https://ossindex.sonatype.org/component/pkg:npm/[email protected]


**Description**
The above URL shows there is a 1 Sever issue(CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') with the SQL npm library version 2.18.1.

however, if it is verified from the other resources it seems to be false positive as on official NPM advisories this version is free from any vulnerability.

NPM advisory:
https://www.npmjs.com/advisories/66/versions
@anuragpathak2608 anuragpathak2608 added the bug Something isn't working label Oct 9, 2020
@ken-duck
Copy link
Contributor

Sorry for the delay. This should be fixed, and will update sometime tomorrow.

@anuragpathak2608
Copy link
Author

@ken-duck , Thanks for your reply.

Is it updated?
I still can not see the updated information.

Anurag

@ken-duck
Copy link
Contributor

ken-duck commented Nov 2, 2020

Very strange. It seems fine on my internal/dev environment. It looks like it is getting jammed up somewhere in the pipeline. Working on it now...

@ken-duck
Copy link
Contributor

ken-duck commented Nov 2, 2020

I identified an anomaly in some data in the processing pipeline. I gave it a bit of a manual kick. Hopefully that gets things moving again. I will check again tomorrow and give it more of a kicking if required.

@ken-duck
Copy link
Contributor

ken-duck commented Nov 3, 2020

Oof. This was a rough one. Long story short there was a corrupt entry that was causing all sorts of havoc. It should be resolved (but I won't be certain until tomorrow, fingers crossed). Meanwhile the entry was removed by hand. If the data is clean tomorrow you will see the vulnerability you linked is gone, but there is a known vulnerability that will show up now (it was being blocked by the aforementioned corrupt entry).

The "new" vulnerability you will see is due to a known problem which has never been resolved: mysqljs/mysql#1828

@anuragpathak2608
Copy link
Author

@ken-duck ,
Thanks for the update.

are you saying there is no workaround for this, we need to accept this and live along.?

@ken-duck
Copy link
Contributor

ken-duck commented Nov 9, 2020

So that's a good question. Here is a better description of our current situation.

You should find the original issue resolved at this point. I do not see any vulnerabilities against this package any more:

https://ossindex.sonatype.org/component/pkg:npm/[email protected]

whereas you can see the vulnerability against this one: https://ossindex.sonatype.org/component/pkg:npm/[email protected]

The original vulnerability link gives you a 404 at this point.

https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0

The "new" issue is working itself down the pipeline but is not active yet, so we have a few days to think about it. Are you using any particular tool (eg. audit.js) or are you using the API? Some of the tools have an ability to filter vulnerabilities by their UUIDs so you can hide them from your results.

The awkward thing about this vulnerability is it is only against certain use cases, and it looks like there isn't a huge push to fix it.

Do you have any thoughts on how you would like to see it handled?

@ndonewar
Copy link
Contributor

Closing this older issue as the originally reported vulnerability no longer exists, and the component no longer has any vulnerabilities. Please feel free to reopen or create a new issue if needed. Thanks!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants