View Code? Open in Web Editor
NEW
A library for generating completely customizable code from the Open API Specification (FKA Swagger) RESTful API documentation using the scripting power of Node.js.
License: Apache License 2.0
JavaScript 94.88%
Shell 0.13%
Handlebars 4.99%
oas-nodegen's Issues
CVE-2021-23358 - High Severity Vulnerability
Vulnerable Library - underscore-1.11.0.tgz
JavaScript's functional programming helper library.
Library home page: https://registry.npmjs.org/underscore/-/underscore-1.11.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/underscore/package.json
Dependency Hierarchy:
❌ underscore-1.11.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
Step up your Open Source Security Game with WhiteSource here
WS-2017-0247 - Low Severity Vulnerability
Vulnerable Library - ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/ms/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
debug-2.2.0.tgz
❌ ms-0.7.1.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2020-0070 - High Severity Vulnerability
Vulnerable Library - lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/oas-nodegen/package.json
Path to vulnerable library: /oas-nodegen/node_modules/lodash/package.json
Dependency Hierarchy:
❌ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2020-7598 - Medium Severity Vulnerability
Vulnerable Library - minimist-0.0.8.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
mkdirp-0.5.1.tgz
❌ minimist-0.0.8.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto " payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
CVE-2021-21353 - High Severity Vulnerability
Vulnerable Libraries - pug-code-gen-2.0.2.tgz , pug-2.0.4.tgz
pug-code-gen-2.0.2.tgz
Default code-generator for pug. It generates HTML via a JavaScript template function.
Library home page: https://registry.npmjs.org/pug-code-gen/-/pug-code-gen-2.0.2.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/pug-code-gen/package.json
Dependency Hierarchy:
pug-2.0.4.tgz (Root Library)
❌ pug-code-gen-2.0.2.tgz (Vulnerable Library)
pug-2.0.4.tgz
A clean, whitespace-sensitive template language for writing HTML
Library home page: https://registry.npmjs.org/pug/-/pug-2.0.4.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/pug/package.json
Dependency Hierarchy:
❌ pug-2.0.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the pretty
option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the pretty
option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Publish Date: 2021-03-03
URL: CVE-2021-21353
CVSS 3 Score Details (9.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-p493-635q-r6gr
Release Date: 2020-12-23
Fix Resolution: pug -3.0.1, pug-code-gen-2.0.3, pug-code-gen-3.0.2
Step up your Open Source Security Game with WhiteSource here
Include the following lines in the license headers within the scripts. This is to ensure that the automated license scanning tools can identify the license.
SPDX-Copyright: Copyright (c) Capital One Services, LLC
SPDX-License-Identifier: Apache-2.0
WS-2017-0236 - Medium Severity Vulnerability
Vulnerable Library - growl-1.9.2.tgz
Growl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz
Path to dependency file: /tmp/ws-scm/oas-nodegen/package.json
Path to vulnerable library: /tmp/ws-scm/oas-nodegen/node_modules/growl/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
❌ growl-1.9.2.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Vulnerability Details
Affected versions of the package are vulnerable to Arbitrary Code Injection.
Publish Date: 2016-09-05
URL: WS-2017-0236
CVSS 2 Score Details (5.6 )
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: tj/node-growl@d9f6ea2
Release Date: 2016-09-05
Fix Resolution: Replace or update the following files: package.json, growl.js
Step up your Open Source Security Game with WhiteSource here
CVE-2017-16137 - Medium Severity Vulnerability
Vulnerable Library - debug-2.2.0.tgz
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/debug/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
❌ debug-2.2.0.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution: 2.6.9
Step up your Open Source Security Game with WhiteSource here
CVE-2016-10540 - High Severity Vulnerability
Vulnerable Library - minimatch-0.3.0.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/minimatch/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
glob-3.2.11.tgz
❌ minimatch-0.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
WS-2019-0425 - Medium Severity Vulnerability
Vulnerable Library - mocha-2.5.3.tgz
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-2.5.3.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/mocha/package.json
Dependency Hierarchy:
❌ mocha-2.5.3.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: v6.0.0
Release Date: 2020-05-07
Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559
Step up your Open Source Security Game with WhiteSource here
CVE-2017-16042 - High Severity Vulnerability
Vulnerable Library - growl-1.9.2.tgz
Growl unobtrusive notifications
Library home page: https://registry.npmjs.org/growl/-/growl-1.9.2.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/growl/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
❌ growl-1.9.2.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution.
Publish Date: 2018-06-04
URL: CVE-2017-16042
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-16042
Release Date: 2018-06-04
Fix Resolution: 1.10.2
Step up your Open Source Security Game with WhiteSource here
WS-2018-0590 - High Severity Vulnerability
Vulnerable Library - diff-1.4.0.tgz
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Path to dependency file: oas-nodegen/package.json
Path to vulnerable library: oas-nodegen/node_modules/diff/package.json
Dependency Hierarchy:
mocha-2.5.3.tgz (Root Library)
❌ diff-1.4.0.tgz (Vulnerable Library)
Found in HEAD commit: 68d751bdae4e5002c9a62b3c3b3e2371120cff95
Found in base branch: master
Vulnerability Details
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
CVSS 2 Score Details (7.0 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: kpdecker/jsdiff@2aec429
Release Date: 2019-06-11
Fix Resolution: 3.5.0
Step up your Open Source Security Game with WhiteSource here
Please be sure to add a codeowners file with the appropriate trusted reviewers added to it. This is a requirement for all projects in this organization. Thanks!