halospv3 / hce.drp Goto Github PK

View Code? Open in Web Editor NEW

7.0 1.0 1.0 16.29 MB

Discord Rich Presence module for Halo: Combat Evolved

License: GNU General Public License v3.0

C 33.41% C++ 56.97% PowerShell 6.78% JavaScript 0.66% CMake 2.18%

spv3 hce halo halo-ce discord-rich-presence

hce.drp's People

Contributors

Stargazers

Watchers

Forkers

carlmundo

hce.drp's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

github-actions

.github/workflows/ci.yml

actions/checkout v4

.github/workflows/codeql-analysis.yml

actions/checkout v4

github/codeql-action v3

github/codeql-action v3

github/codeql-action v3

.github/workflows/conv-pull-requests.yml

Namchee/conventional-pr v0.15.4

.github/workflows/release.yml

actions/checkout v4

actions/setup-node v4

actions/upload-artifact v4

npm

package.json

Check this box to trigger a request for Renovate to run again on this repository

CVE-2021-43616 (High) detected in npm-7.24.1.tgz - autoclosed

CVE-2021-43616 - High Severity Vulnerability

Vulnerable Library - npm-7.24.1.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- npm-8.0.0.tgz
  - ❌ npm-7.24.1.tgz (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

Publish Date: 2021-11-13

URL: CVE-2021-43616

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616

Release Date: 2021-11-13

Fix Resolution: npm - 8.1.4

Step up your Open Source Security Game with WhiteSource here

Add version info to output assembly

TODO

~~enable Windows Manifest generation~~. Resolved in 5cf285d.
check if GitVersion can autofill 'native' assemblies.
if GitVersion cannot autofill the version info, we'll need to fill in the pre-compile manifest file with compile-time variables.

Ideally, we'll re-use our existing GitVersion configuration for version bumps controlled entirely by commit messages.

Progress in tracked in https://github.com/HaloSPV3/HCE.DRP/tree/feat/gitVersion

CVE-2022-21680 (High) detected in marked-2.1.3.tgz - autoclosed

CVE-2022-21680 - High Severity Vulnerability

Vulnerable Library - marked-2.1.3.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- ❌ marked-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 366cf45a4d210356c14c0ee396cbb81f2ea20133

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21680

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: 2022-01-14

Fix Resolution: marked - 4.0.10

Step up your Open Source Security Game with WhiteSource here

Debug build configuration does not compile

TODO

Research how to link a Debug build against a static Release-type library

The Linker is failing a a few operations involving discord-rpc.lib.
These issues are due to the precompiled library having been compiled with incompatible arguments and parameters.

	discord-rpc	ours
_ITERATOR_DEBUG_LEVEL	0	2
RuntimeLibrary	MT_StaticRelease	MDd_DynamicDebug

Build Log

Build started...
1>------ Build started: Project: DRP, Configuration: Debug Win32 ------
1>Build started 12/14/2021 5:56:41 PM.
1>Target Link:
1>    discord-rpc.lib(discord_rpc.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>    discord-rpc.lib(discord_rpc.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>    discord-rpc.lib(discord_register_win.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>    discord-rpc.lib(discord_register_win.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>    discord-rpc.lib(serialization.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>    discord-rpc.lib(serialization.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>    discord-rpc.lib(rpc_connection.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>    discord-rpc.lib(rpc_connection.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>    LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library
1>    ..\bin\Debug\HCE.DRP.dll : fatal error LNK1319: 8 mismatches detected
1>Done building target "Link" in project "DRP.vcxproj" -- FAILED.
1>
1>Done building project "DRP.vcxproj" -- FAILED.
1>
1>Build FAILED.
1>
1>LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library
1>discord-rpc.lib(discord_rpc.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>discord-rpc.lib(discord_rpc.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>discord-rpc.lib(discord_register_win.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>discord-rpc.lib(discord_register_win.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>discord-rpc.lib(serialization.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>discord-rpc.lib(serialization.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>discord-rpc.lib(rpc_connection.obj) : error LNK2038: mismatch detected for '_ITERATOR_DEBUG_LEVEL': value '0' doesn't match value '2' in main.obj
1>discord-rpc.lib(rpc_connection.obj) : error LNK2038: mismatch detected for 'RuntimeLibrary': value 'MT_StaticRelease' doesn't match value 'MDd_DynamicDebug' in main.obj
1>..\bin\Debug\HCE.DRP.dll : fatal error LNK1319: 8 mismatches detected
1>    1 Warning(s)
1>    9 Error(s)
1>
1>Time Elapsed 00:00:01.41
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

> Build started at 5:56 PM and took 2.334 seconds

Workarounds

No known workarounds.
Perhaps there are Linker options for allowing mixed link types.

Solutions

A. Only build Release builds.
B. Acquire the the source code of Discord RPC and compile for Multi-threaded Debug DLLs.
C. Acquire a debug build of the Discord RPC library.

chore(deps): update transitive dependency ansi-regex to 5.0.1 [security]

CVE-2020-7656 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.DRP/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11022 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.DRP/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 (Medium) detected in jquery-1.8.1.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.DRP/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3807 (High) detected in ansi-regex-5.0.0.tgz, ansi-regex-3.0.0.tgz - autoclosed

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-5.0.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

semantic-release-19.0.2.tgz (Root Library)
- npm-9.0.0.tgz
  - npm-8.3.1.tgz
    - cli-table3-0.6.0.tgz
      - string-width-4.2.2.tgz
        
        strip-ansi-6.0.0.tgz
        
        ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

semantic-release-19.0.2.tgz (Root Library)
- npm-9.0.0.tgz
  - npm-8.3.1.tgz
    - npmlog-6.0.0.tgz
      - gauge-4.0.0.tgz
        
        wide-align-1.1.3.tgz
        
        string-width-2.1.1.tgz
        
        strip-ansi-4.0.0.tgz
        
        ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with Mend here

CVE-2022-29244 (Medium) detected in npm-8.3.1.tgz - autoclosed

CVE-2022-29244 - Medium Severity Vulnerability

Vulnerable Library - npm-8.3.1.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-8.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

semantic-release-19.0.2.tgz (Root Library)
- npm-9.0.0.tgz
  - ❌ npm-8.3.1.tgz (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the patched version of npm (v8.11.0 or greater).

Publish Date: 2022-04-14

URL: CVE-2022-29244

CVSS 3 Score Details (5.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hj9c-8jmm-8c52

Release Date: 2022-04-14

Fix Resolution: npm - 8.11.0

Step up your Open Source Security Game with Mend here

CVE-2022-0235 (Medium) detected in node-fetch-2.6.5.tgz - autoclosed

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.5.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- github-8.0.1.tgz
  - rest-18.11.1.tgz
    - core-3.5.1.tgz
      - request-5.6.1.tgz
        
        ❌ node-fetch-2.6.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2022-21681 (High) detected in marked-2.1.3.tgz - autoclosed

CVE-2022-21681 - High Severity Vulnerability

Vulnerable Library - marked-2.1.3.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/marked/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- ❌ marked-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 366cf45a4d210356c14c0ee396cbb81f2ea20133

Found in base branch: main

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Publish Date: 2022-01-14

URL: CVE-2022-21681

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: 2022-01-14

Fix Resolution: marked - 4.0.10

Step up your Open Source Security Game with WhiteSource here

CVE-2020-11023 (Medium) detected in jquery-1.8.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.DRP/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with WhiteSource here

Improve Powershell-powered VSDevEnv automation

$VsReqs = "Microsoft.Component.VC.Runtime.UCRTSDK","Microsoft.VisualStudio.Workload.NativeDesktop","Microsoft.VisualStudio.Component.WinXP";
(
  Get-VSSetupInstance -All -Prerelease | Select-VSSetupInstance -Latest -Require ($VsReqs)
).InstallationPath
# Need to learn names of...
# ...[component] deprecated v141 toolset for Win7.1 SDK
# ...[component] Windows 10 SDK (10.0.19041.0)
# ...[workload] Desktop development with C++

Docs

`DIFFICULTIES[]`could be replaced by `Difficulties[i].ToPascalCase()`

Why have two arrays of values that differ by character cases?

const char *DIFFICULTIES[] = {
	"Noble",
	"Normal",
	"Heroic",
	"Legendary"
};

const char *Difficulties[] = {
	"noble",
	"normal",
	"heroic",
	"legendary"
};

std::string difficulty_str;
std::string real_difficulty;
if (difficulty < 4) {
    real_difficulty = Difficulties[difficulty];
    difficulty_str = DIFFICULTIES[difficulty];
    difficulty_str += " Difficulty";
}

CVE-2021-3918 (High) detected in json-schema-0.2.3.tgz - autoclosed

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/json-schema/package.json

Dependency Hierarchy:

semantic-release-18.0.1.tgz (Root Library)
- npm-8.0.0.tgz
  - npm-7.24.1.tgz
    - node-gyp-7.1.2.tgz
      - request-2.88.2.tgz
        
        http-signature-1.2.0.tgz
        
        jsprim-1.4.1.tgz
        
        ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2012-6708 (Medium) detected in jquery-1.8.1.min.js

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: HCE.DRP/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here

Decrease scope to only Halo SPV3

Reasons

Supporting every Halo: CE map is ideal, but impractical for the current development team (just me).
SPV3 should not need its DRP module updated every time we make non-SPV3 changes.

Roadplan

Fork HCE.DRP to SPV3.DRP
Transfer SPV3-related issues to SPV3.DRP
Recreate SPV3.DRP as a dotnet project for easier version automation; Programmatically setting assembly info in C++ is a terrible and alien experience.

Get Difficulties/Titles from map files (or elsewhere, but less reliable)

Constantly updating the module to add new strings would be annoying if it's done frequently.
Being data-driven means fewer updates for values that would otherwise need to be hard coded.

However, this opens up the potential for external abuse e.g. inappropriate text or images being sent to a player's Discord status.

With the previous statement in in mind, it may be preferable to maintain a map registry separate from this project. See HaloSPV3/HCE#262

CVE-2021-43307 (Medium) detected in semver-regex-3.1.3.tgz - autoclosed

CVE-2021-43307 - Medium Severity Vulnerability

Vulnerable Library - semver-regex-3.1.3.tgz

Regular expression for matching semver versions

Library home page: https://registry.npmjs.org/semver-regex/-/semver-regex-3.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver-regex/package.json

Dependency Hierarchy:

semantic-release-19.0.2.tgz (Root Library)
- find-versions-4.0.0.tgz
  - ❌ semver-regex-3.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 1a03d653386d12fd317a5da703c2bf5cd63e1f13

Found in base branch: main

Vulnerability Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Publish Date: 2022-06-02

URL: CVE-2021-43307

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/

Release Date: 2021-11-03

Fix Resolution: semver-regex - 3.1.4,4.0.3

Step up your Open Source Security Game with Mend here

halospv3 / hce.drp Goto Github PK

hce.drp's People

Contributors

Stargazers

Watchers

Forkers

hce.drp's Issues

Detected dependencies

CVE-2021-43616 - High Severity Vulnerability

TODO

CVE-2022-21680 - High Severity Vulnerability

TODO

Workarounds

Solutions

CVE-2020-7656 - Medium Severity Vulnerability

CVE-2020-11022 - Medium Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

CVE-2021-3807 - High Severity Vulnerability

CVE-2022-29244 - Medium Severity Vulnerability

CVE-2022-0235 - Medium Severity Vulnerability

CVE-2022-21681 - High Severity Vulnerability

CVE-2020-11023 - Medium Severity Vulnerability

CVE-2021-3918 - High Severity Vulnerability

CVE-2012-6708 - Medium Severity Vulnerability

Reasons

Roadplan

CVE-2021-43307 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org