CoPilot npm/Travis CI Example
Shows a working setup for using CoPilot to analyze the risk of project dependencies. Test. 123
The .travis.yml
file has been modified to upload generated dependency data to CoPilot:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@a01e4fa
Release Date: 2019-07-08
Fix Resolution: 4.17.12
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /example-npm-circle/node_modules/sockjs/examples/express/index.html,/example-npm-circle/node_modules/sockjs/examples/echo/index.html,/example-npm-circle/node_modules/sockjs/examples/hapi/html/index.html,/example-npm-circle/node_modules/sockjs/examples/multiplex/index.html,/example-npm-circle/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/selenium-webdriver/lib/test/data/draggableLists.html
Path to vulnerable library: /example-npm-circle/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.4.5.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: 6510bdb836382c20430023990e14a2e6c6aef3d7
Arbitrary Code Execution vulnerability found in handlebars before 4.5.2. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.
Publish Date: 2019-11-13
URL: WS-2019-0331
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1316
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.2
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /example-npm-circle/node_modules/sockjs/examples/express/index.html,/example-npm-circle/node_modules/sockjs/examples/echo/index.html,/example-npm-circle/node_modules/sockjs/examples/hapi/html/index.html,/example-npm-circle/node_modules/sockjs/examples/multiplex/index.html,/example-npm-circle/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/selenium-webdriver/lib/test/data/draggableLists.html
Path to vulnerable library: /example-npm-circle/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Arbitrary Code Execution vulnerability found in handlebars before 4.5.3. Lookup helper fails to validate templates. Attack may submit templates that execute arbitrary JavaScript in the system.It is due to an incomplete fix for a WS-2019-0331.
Publish Date: 2019-11-17
URL: WS-2019-0332
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1324
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
Base Score Metrics:
Type: Upgrade version
Origin: axios/axios#1098
Release Date: 2019-05-31
Fix Resolution: 0.19.0
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-11.1.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/yargs-parser/package.json
Dependency Hierarchy:
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-13.1.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/@angular/compiler-cli/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Publish Date: 2020-05-01
URL: WS-2020-0068
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/package/yargs-parser
Release Date: 2020-05-04
Fix Resolution: https://www.npmjs.com/package/yargs-parser/v/18.1.2,https://www.npmjs.com/package/yargs-parser/v/15.0.1
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Prototype Pollution vulnerability found in handlebars 1.0.6 before 4.5.3. It is possible to add or modify properties to the Object prototype through a malicious template. Attacker may crash the application or execute Arbitrary Code in specific conditions.
Publish Date: 2019-11-18
URL: WS-2019-0333
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1325
Release Date: 2019-12-05
Fix Resolution: handlebars - 4.5.3
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
Base Score Metrics:
Utilities for ESLint plugins.
Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/eslint-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.
Publish Date: 2019-08-26
URL: CVE-2019-15657
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657
Release Date: 2019-08-26
Fix Resolution: 1.4.1
Utilities for ESLint plugins.
Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/eslint-utils/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.
Publish Date: 2019-08-26
URL: CVE-2019-15657
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657
Release Date: 2019-08-26
Fix Resolution: 1.4.1
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.18.0.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.
Publish Date: 2019-05-07
URL: CVE-2019-10742
Base Score Metrics:
Type: Upgrade version
Origin: axios/axios#1098
Release Date: 2019-05-31
Fix Resolution: 0.19.0
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Publish Date: 2019-04-30
URL: CVE-2018-20834
Base Score Metrics:
Type: Upgrade version
Origin: https://hackerone.com/reports/344595
Release Date: 2019-04-30
Fix Resolution: v4.4.2
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /tmp/ws-scm/example-npm-circle/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/sockjs/examples/express/index.html
Path to vulnerable library: /example-npm-circle/node_modules/sockjs/examples/express/index.html,/example-npm-circle/node_modules/sockjs/examples/echo/index.html,/example-npm-circle/node_modules/sockjs/examples/hapi/html/index.html,/example-npm-circle/node_modules/sockjs/examples/multiplex/index.html,/example-npm-circle/node_modules/sockjs/examples/express-3.x/index.html
Dependency Hierarchy:
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.4/jquery.min.js
Path to dependency file: /tmp/ws-scm/example-npm-circle/node_modules/selenium-webdriver/lib/test/data/draggableLists.html
Path to vulnerable library: /example-npm-circle/node_modules/selenium-webdriver/lib/test/data/js/jquery-1.4.4.min.js
Dependency Hierarchy:
Found in HEAD commit: 4b9d35337365451db5cf7aad10d58ff1a3dc8acd
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Create nested values and any intermediaries using dot notation (`'a.b.c'`) paths.
Library home page: https://registry.npmjs.org/set-value/-/set-value-0.4.3.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/set-value/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Publish Date: 2019-08-23
URL: CVE-2019-10747
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/set-value@95e9d99
Release Date: 2019-07-24
Fix Resolution: 2.0.1,3.0.1
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
Library home page: https://registry.npmjs.org/mixin-deep/-/mixin-deep-1.3.1.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/mixin-deep/package.json
Dependency Hierarchy:
Found in HEAD commit: dc622c22bc07e86cb43ca6e4c1562a92588218bc
mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-08-23
URL: CVE-2019-10746
Base Score Metrics:
Type: Upgrade version
Origin: jonschlinkert/mixin-deep@8f464c8
Release Date: 2019-07-11
Fix Resolution: 1.3.2,2.0.1
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz
Path to dependency file: /tmp/ws-scm/example-npm-circle/package.json
Path to vulnerable library: /example-npm-circle/node_modules/handlebars/package.json
Dependency Hierarchy:
Found in HEAD commit: e8f81fa1be5b23fbe5cdb37ae0a33abd6cc0741e
Prototype Pollution vulnerability found in handlebars.js before 4.5.3. Attacker may use Remote-Code-Execution exploits.
Publish Date: 2019-11-17
URL: WS-2019-0369
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/wycats/handlebars.js/blob/master/release-notes.md#v453---november-18th-2019
Release Date: 2020-01-08
Fix Resolution: handlebars - 4.5.3
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.