shaneclarke-whitesource / jirafy-changelog Goto Github PK

View Code? Open in Web Editor NEW

This project forked from onxmaps/jirafy-changelog

0.0 0.0 0.0 372 KB

Generates a changelog from two references, where the markdown is formatted for any referenced Jira tickets.

Shell 0.22% JavaScript 99.78%

jirafy-changelog's People

Contributors

jirafy-changelog's Issues

core-1.6.0.tgz: 1 vulnerabilities (highest severity is: 5.0)

Vulnerable Library - core-1.6.0.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@actions/core/package.json

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (core version)	Remediation Available
CVE-2022-35954	Medium	5.0	core-1.6.0.tgz	Direct	1.9.1	✅

Details

CVE-2022-35954

Vulnerable Library - core-1.6.0.tgz

Actions core lib

Library home page: https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@actions/core/package.json

Dependency Hierarchy:

❌ core-1.6.0.tgz (Vulnerable Library)

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Found in base branch: main

Vulnerability Details

The GitHub Actions ToolKit provides a set of packages to make creating actions easier. The core.exportVariable function uses a well known delimiter that attackers can use to break out of that specific variable and assign values to other arbitrary variables. Workflows that write untrusted values to the GITHUB_ENV file may cause the path or other environment variables to be modified without the intention of the workflow or action author. Users should upgrade to @actions/core v1.9.1. If you are unable to upgrade the @actions/core package, you can modify your action to ensure that any user input does not contain the delimiter _GitHubActionsFileCommandDelimeter_ before calling core.exportVariable.

Publish Date: 2022-08-15

URL: CVE-2022-35954

CVSS 3 Score Details (5.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35954

Release Date: 2022-08-15

Fix Resolution: 1.9.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

jira-client-6.23.0.tgz: 2 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - jira-client-6.23.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jira-client version)	Remediation Available
CVE-2021-3918	High	9.8	json-schema-0.2.3.tgz	Transitive	7.0.0	✅
CVE-2022-24999	High	7.5	qs-6.5.2.tgz	Transitive	7.0.0	✅

Details

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

jira-client-6.23.0.tgz (Root Library)
- request-2.88.2.tgz
  - http-signature-1.2.0.tgz
    - jsprim-1.4.1.tgz
      - ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (jira-client): 7.0.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

jira-client-6.23.0.tgz (Root Library)
- request-2.88.2.tgz
  - ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (jira-client): 7.0.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

Update dependency cypress to v10.11.0

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Update dependency cypress to v12

Detected dependencies

github-actions

.github/workflows/bump-version.yml

.github/workflows/draft-release.yml

.github/workflows/jirafy-changelog-preview.yml

.github/workflows/release.yml

.github/workflows/tests.yml

cypress-io/github-action v4

npm

package.json

cypress ^10.7.0

Check this box to trigger a request for Renovate to run again on this repository

github-5.0.0.tgz: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - github-5.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (github version)	Remediation Available
CVE-2022-0235	Medium	6.1	node-fetch-2.6.6.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-0235

Vulnerable Library - node-fetch-2.6.6.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

github-5.0.0.tgz (Root Library)
- core-3.5.1.tgz
  - request-5.6.2.tgz
    - ❌ node-fetch-2.6.6.tgz (Vulnerable Library)

Found in HEAD commit: b471d6dafdcdc7934bf201c5f5090738be00bb14

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

npm

package.json

shaneclarke-whitesource / jirafy-changelog Goto Github PK

jirafy-changelog's People

Contributors

jirafy-changelog's Issues

Vulnerabilities

Details

Vulnerable Library - core-1.6.0.tgz

Vulnerability Details

CVSS 3 Score Details (5.0)

Suggested Fix

Vulnerabilities

Details

Vulnerable Library - json-schema-0.2.3.tgz

Vulnerability Details

CVSS 3 Score Details (9.8)

Suggested Fix

Vulnerable Library - qs-6.5.2.tgz

Vulnerability Details

CVSS 3 Score Details (7.5)

Suggested Fix

Other Branches

Open

Detected dependencies

Vulnerabilities

Details

Vulnerable Library - node-fetch-2.6.6.tgz

Vulnerability Details

CVSS 3 Score Details (6.1)

Suggested Fix

Detected dependencies

Recommend Projects

Recommend Topics

Recommend Org