A library for generating completely customizable code from the Open API Specification (FKA Swagger) RESTful API documentation using the scripting power of Node.js.
License: Apache License 2.0
Vulnerable Library - underscore-1.11.0.tgzJavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.11.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/underscore/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - ms-0.7.1.tgzTiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/ms/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.15.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/oas-nodegen/package.json
Path to vulnerable library: /oas-nodegen/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1)
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - minimist-0.0.8.tgzparse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - pug-code-gen-2.0.2.tgz, pug-2.0.4.tgz
Default code-generator for pug. It generates HTML via a JavaScript template function.
Library home page: https://registry.npmjs.org/pug-code-gen/-/pug-code-gen-2.0.2.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/pug-code-gen/package.json
Dependency Hierarchy:
A clean, whitespace-sensitive template language for writing HTML
Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/pug/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Publish Date: 2021-03-03
URL: CVE-2021-21353
CVSS 3 Score Details (9.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-p493-635q-r6gr
Release Date: 2020-12-23
Fix Resolution: pug -3.0.1, pug-code-gen-2.0.3, pug-code-gen-3.0.2
Step up your Open Source Security Game with WhiteSource here
Include the following lines in the license headers within the scripts. This is to ensure that the automated license scanning tools can identify the license.
SPDX-Copyright: Copyright (c) Capital One Services, LLC
SPDX-License-Identifier: Apache-2.0
Vulnerable Library - growl-1.9.2.tgzGrowl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz
Path to dependency file: /tmp/ws-scm/oas-nodegen/package.json
Path to vulnerable library: /tmp/ws-scm/oas-nodegen/node_modules/growl/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Vulnerability Details
Affected versions of the package are vulnerable to Arbitrary Code Injection.
Publish Date: 2016-09-05
URL: WS-2017-0236
CVSS 2 Score Details (5.6)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: tj/node-growl@d9f6ea2
Release Date: 2016-09-05
Fix Resolution: Replace or update the following files: package.json, growl.js
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - debug-2.2.0.tgzsmall debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/debug/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution: 2.6.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - minimatch-0.3.0.tgza glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - mocha-2.5.3.tgzsimple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/mocha/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: v6.0.0
Release Date: 2020-05-07
Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - growl-1.9.2.tgzGrowl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/growl/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Publish Date: 2018-06-04
URL: CVE-2017-16042
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042
Release Date: 2018-06-04
Fix Resolution: 1.10.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - diff-1.4.0.tgzA javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/diff/package.json
Dependency Hierarchy:
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 2 Score Details (7.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@2aec429
Release Date: 2019-06-11
Fix Resolution: 3.5.0
Step up your Open Source Security Game with WhiteSource here
Please be sure to add a codeowners file with the appropriate trusted reviewers added to it. This is a requirement for all projects in this organization. Thanks!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
