Settings Tables

Display Modes' Relations with other Settings

V-Sync Rules & Recommendations

Halo's built-in Double-Buffer V-Sync is horribly implemented, so it's recommended to disable it at all times.

V-Sync Comparison

• What is V-Sync?
  • Where the article states "60Mhz", they actually mean 60Hz. The erroneous "60MHz" means 60 million changes per second. If that was a feasible refresh rate for displays, I would be amazed.
• Double-Buffering? Triple Buffering?
• Frame Rate = rate at which the GPU is outputting rendered images.
• Refresh Rate = the frequency at which the monitor's display can blank and show a new image. Limited by its hardware components.

AMD

What is FreeSync?

1. FreeSync Premium Pro — requires a GPU, display, and game that supports it
2. FreeSync Premium — requires a GPU and display that also supports it
3. FreeSync — requires a GPU and display that supports it
4. Enhanced Sync — automatically disables V-Sync when the frame rate drops below the display's refresh rate.
5. Off + limit frame rate lower than refresh rate.
6. On (Traditional)

Intel

1. Adaptive Sync — 11th-Gen Core or newer)
2. "Use Application Settings" & limit frame rate lower than refresh rate
3. On — Traditional
   Unless the user has an 11th-gen Core processor or newer, their options are limited to traditional V-Sync and frame rate limiting.

NVIDIA

What is G-Sync?

1. G-Sync Ultimate — requires a GPU and display that supports it
2. G-Sync — requires a GPU and display that supports it or a display that is capable of Variable Refresh Rate
3. Fast Sync — successor to Adaptive Sync
4. Adaptive Sync — disables V-Sync when the frame rate drops below the display's refresh rate
5. Off & limit frame rate lower than refresh rate
6. On — Traditional

Miscellaneous

dgVoodoo

• dgVoodoo offers mouse cursor capture (keep inside the game), Anisotropic Filtering override, MSAA, render API shader-processing fixes, Alt-Enter for fullscreen,

File dgVoodoo = new File;
File dgVoodooConf = new File;
/// The following can be used for any library that loads via D3D9.dll interception.
if (Exists(Combine(CurrentDirectory, "d3d9.dll")))
{
  throw new Exception("Move d3d9.dll somewhere else. Move it to the mods folder if you still need to use it.");
}
if (Exists(Combine(CurrentDirectory, "mods", "d3d9.dll")))
{
  var d3d9VerInfo = FileVersionInfo.GetVersionInfo(Combine(CurrentDirectory, "mods", "d3d9.dll"));
  if (d3d9VerInfo.FileDescription.Contains("dgVoodoo"))
  {
    dgVoodooFound = true;
    dgVoodooConf = Combine(CurrentDirectory, "mods", "dgvoodoo.conf");
  }
  else if (d3d9VerInfo.FileDescription.Contains("ReShade"))
  {
    // Recommend the user use dgVoodoo. If the user faces significant performance drops with it, tick it's "passthrough" checkbox.
    // rename ReShade to dxgi.dll OR reshade32.dll
    ReShadeFound = true;
    // ReShade configuration?
  }
}
// Does dgvoodoo.dll exist?
else if (Exists(Combine(CurrentDirectory, "mods", "dgvoodoo.dll")))
{
  dgVoodooFound = true;
  dgVoodooConf = Combine(CurrentDirectory, "mods", "dgvoodoo.conf");
}

https://twitter.com/LateNightHalo/status/1389654718667005958?s=19

Describe the solution you'd like
Manually updating the contents of HaloSPV3/HCE's latest.xml could lead to delayed update notifications or introduced human error into an otherwise automated Release pipeline.

Describe alternatives you've considered
I'd previously considered running a nightly Workflow in HaloSPV3/HCE to check each project for new releases, but that would hinder the rapid delivery of critical fixes. Updating the Update metadata from each repo's Release workflows made more sense in the end.

Additional context
HaloSPV3/HCE#240

CVE-2022-0235 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.6.5.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

• semantic-release-19.0.2.tgz (Root Library)
  • github-8.0.1.tgz
    • rest-18.11.1.tgz
      • core-3.5.1.tgz
        • request-5.6.1.tgz
          • ❌ node-fetch-2.6.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Step up your Open Source Security Game with WhiteSource here

From https://www.reddit.com/r/halospv3/comments/oly5qb/can_not_run_the_installer_tt/

Is SPV3.3 installer run on 64 bit only? If It's true, then is there a manual way to install It because I'm using win7-32bit.

This will be a little tricky since it's an async operation.

Commit e213d7af had moved away from this idea (opting for executing in a separate process to show progress in a CLI) because the test-implementation at the time exhibited "screwy", unsatisfactory results.

The exact issue(s) will need to be listed here.

Ideas to try:

• DownloadProgress = BytesDownloaded / BytesTotal;
• CommitProgress = BytesWritten / BytesTotal;
• Periodically report progress to the GUI. 100ms should be frequent enough. A "no response" or "progress stalled" message would be nice to have if progress doesn't change over a period of five seconds.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency microsoft.windows.compatibility to v7.0.3 [security]
• chore(deps): update all dependencies (MahApps.Metro, Microsoft.SourceLink.GitHub, Namchee/conventional-pr, actions/checkout, actions/setup-dotnet, actions/setup-node, actions/upload-artifact, github/codeql-action)

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

In relation to HaloSPV3/HXE#215

https://twitter.com/VoidsShadow/status/1450000709890424834

Hear the lament of one who must maintain a single-file, self-extracting installer that has a 64-bit-only feature and must run on both 32-bit and 64-bit platforms.

https://twitter.com/VoidsShadow/status/1450401081809416198

I couldn't find a way to create an 'Any CPU' app with net5.0+ tools despite implications in its source code and documentation, so I'll have to split 64-bit-only features to a separate application or library that is stored in and later extracted from a 32-bit SPV3 Installer.

Formerly "Self-extract HXE.exe to parent directory when 'Loader' state is inferred"

Expose HXE CLI functionality and features via either/both an embedded Terminal host and/or wrapped command-line command/arguments.

Terminal Host Embedded in GUI

The host would be embedded within an SPV3-themed GUI, similarly to our SPV3.Error UserControl.

PowerShell 7.2+ would be our preferred CLI host for its suggestions and completions, but most users will have PS 5.1 at best.

• Embedding PowerShell 7.2 would bloat our application by at least 70MiB, so that's out of the question.
• Check if PowerShell 7.2 is already installed on the client machine.
  • If not installed, prompt user with options: [ 'ignore once', 'ignore always', 'install for current user', 'install for all users' ]
    • A portable install is not presented because PowerShell itself is not portable. Also, that would be PITA to maintain without a package manager.

Wrapped CLI Commands and Arguments

Invoking SPV3 with HXE arguments will cause cause SPV3 Loader to pass unsupported arguments to the embedded HXE assembly which will then react appropriately, whether that be by throwing NotSupportException or acting upon the recognized argument(s).

• Compression button in Loader Config panel
• Warning message box
• Applies file system compression to folder and files recursively
• Checks if the host file system supports transparent compression.

When Clicked to Enable...

MessageBox.Open("Applying compression to SPV3's folder will take a few minutes. Do you want to continue?")

In the message box, display a Confirm and a Cancel button.

https://www.reddit.com/r/halospv3/comments/o15p34/spv33_halo_ce_classic_windows_81_resolution/

• Unable to set resolution in Fullscreen mode! This is highly unusual!

Snyk

Job started: 12 November 2021, 02:52:26
Processed HaloSPV3/SPV3-Loader from GitHub

Found ./src/SPV3.csproj [main]  | No target frameworks detected in ./src/SPV3.csproj
[main] View project 

1 project created
Job completed: 12 November 2021, 02:52:27

> dotnet nuget push *.nupkg -s "github" -k ***
error: File does not exist (*.nupkg).

The GeneratePackageOnBuild property was removed from the project. Re-adding it should resolve the issue.

• Prompt user. Maybe they don't want it, but do it by default.

https://developer.valvesoftware.com/wiki/Steam_browser_protocol
If you want, you could add SPV3 to Steam via steam://AddNonSteamGame during the install procedure
Steam browser protocol
I'm wondering if there's a way to auto-set the three custom images as well

ooo this is interesting
https://developer.valvesoftware.com/wiki/Add_Non-Steam_Game
Add Non-Steam Game
so it would have to be done here
hmmm nifty

Contact Arecadian Fox and Jazz for the SPV3 Steam Library images.

• #37
• #39

Load SPV3 button is often disabled indefinitely after loading the game, requiring the user to restart the loader if the user wants to restart the game.

CVE-2021-43616 - High Severity Vulnerability

Vulnerable Library - npm-7.24.1.tgz

a package manager for JavaScript

Library home page: https://registry.npmjs.org/npm/-/npm-7.24.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/package.json

Dependency Hierarchy:

• semantic-release-18.0.1.tgz (Root Library)
  • npm-8.0.0.tgz
    • ❌ npm-7.24.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.

Publish Date: 2021-11-13

URL: CVE-2021-43616

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43616

Release Date: 2021-11-13

Fix Resolution: npm - 8.1.4

Step up your Open Source Security Game with WhiteSource here

• #71
• #72

This would help users a little if the update server is changed again.

Resolved with the release of HaloSPV3/HXE.DRP v1.0.5

I'll close this issue after confirming it is packaged with Loader releases.

Add Firefight maps and images.
Needs new Discord API servicing host.

See https://mahapps.com/docs/guides/migration-to-v2.0#resource-keys

There may be an issue with writing to and closing the file.
...do I need to manually close the file/handle?

Notes

• This is to alllow IL trimming of code that does not reference WPF/WinForms
• Non-GUI namespace will remain as 'SPV3'
• GUI namespace will be 'SPV3.GUI', reflecting AmaiSosu's layout
• 'SPV3.GUI' will become the main project because it needs to reference the non-GUI components
• In relation to HaloSPV3/HXE#214

Describe the bug

This has been a thorn in my side for far too long.

7z's syntax sucks.
Workflow variable de-reference syntax is different depending on the context i.e. ${{ env.TFM }} is sometimes correct, but it's wrong in other cases.

Expected behavior

1. Get a list of items under a publish.
2. Add items to new archive; preserving subdirectories.

Propositions

• avoid de-referencing workflow variables
• replace 7z with Powershell's Compress-Archive

Screamshots

funny joke

• Activation methods
• Halo CE Proof of Ownership methods (HCE POO)
• Halo CE Proof of Ownership Discovery methods (HCE POOD)
• Halo CE Ownership Discovery methods
• Halo CE Declaration of Ownership methods (HCE DOO)

Although I really like two and three, four and five are clearer.
Five is the best compromise between clarity and poop jokes...

51c44b9#annotation_2052168121

Issues

NOTES

• "RID" refers to a unique combination of OS and CPU architecture. See .NET RID Catalog.

File Size

Updates should be lightweight and have as few files as possible.

• HXE.exe from release 2.1.4 is 128 MiB. If it targeted .NET 6 and used EnableCompressionInSingleFile, it would have been closer to 64 MiB which is still large for a console app with two WPF windows.
• Our GUIs rely on WPF. ~20MiB per RID. Windows-only.
• DotNet SingleFile wraps our app and assemblies with SingleFileHost as the entry assembly. ~10MiB per RID. One app per RID.
• Our dependencies include localizations we don't need since we only support English. These localizations add ~20 MiB (uncompressed) to HXE.exe.

WPF is trim-incompatible

Rampant usage of Reflection and dynamic references e.g. getting a type name from a string.

• https://docs.microsoft.com/en-us/dotnet/core/deploying/trimming/incompatibilities#wpf
• dotnet/runtime#12951
• dotnet/runtime#50689
• dotnet/sdk#14261
• dotnet/wpf#3811

SingleFile

• https://docs.microsoft.com/en-us/dotnet/core/deploying/single-file
• Making a SingleFile app also requires selecting a specific runtime. We have to use the .NET 5+ SingleFile feature since I couldn't get Fody Weavers working after porting the projects to .NET 5+. The SingleFile host adds an additional 10MiB to executable.
• A SingleFile is heavy. A Self-Contained SingleFile is even heavier.

SingleFile + Win7

• SingleFile is said to not be supported on Windows 7. Does this include Windows 7 SP1? Condition="'$(PublishSingleFile)' == 'true' and $(RuntimeIdentifier.StartsWith('win7-'))" throws Error NETSDK1180

• Does the DotNet Core 3.1 style of SingleFile work? This extracts the dependencies to a temporary file location instead of loading directly from the main file. The compiler checks don't care. See previous point.

• dotnet/runtime#62453

• dotnet/runtime#13356

• dotnet/runtime#63196

• dotnet/sdk#23336

XML Serialization is discouraged in favor of System.Text.Json for trim compatibility

XML serialization depends on Reflection.

• https://docs.microsoft.com/en-us/dotnet/core/deploying/trimming/incompatibilities#reflection-based-serializers

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: SPV3-Loader/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 339c233f38fb804a26d33861aeb9011ccea53d79

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

Step up your Open Source Security Game with WhiteSource here

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: SPV3-Loader/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 339c233f38fb804a26d33861aeb9011ccea53d79

Found in base branch: main

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3918 - High Severity Vulnerability

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/npm/node_modules/json-schema/package.json

Dependency Hierarchy:

• semantic-release-18.0.1.tgz (Root Library)
  • npm-8.0.0.tgz
    • npm-7.24.1.tgz
      • node-gyp-7.1.2.tgz
        • request-2.88.2.tgz
          • http-signature-1.2.0.tgz
            • jsprim-1.4.1.tgz
              • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution: json-schema - 0.4.0

Step up your Open Source Security Game with WhiteSource here

e.g.

    <TrimmerDefaultAction>link</TrimmerDefaultAction>

    <ProjectReference Include="ext/HXE/src/HXE.csproj" />
    <!-- Analyze the whole library, even if attributed with "IsTrimmable" -->
    <TrimmerRootAssembly Include="HXE" />

• npm install @semantic-release/release-notes-generator -D
• npx @semantic-release/release-notes-generator - initialize change log
• enable release-notes-generator in ./.releaserc.yaml
• commit change log

When all is done, the change log will be updated and committed during every CI run of semantic-release.

Currently, all of them are rendered simultaneously with Activation on top.

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: SPV3-Loader/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 339c233f38fb804a26d33861aeb9011ccea53d79

Found in base branch: main

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-3807 - High Severity Vulnerability

Vulnerable Libraries - ansi-regex-5.0.0.tgz, ansi-regex-4.1.0.tgz, ansi-regex-3.0.0.tgz

ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: SPV3-Loader/package.json

Path to vulnerable library: SPV3-Loader/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• semantic-release-18.0.0.tgz (Root Library)
  • npm-8.0.0.tgz
    • npm-7.24.1.tgz
      • cli-table3-0.6.0.tgz
        • string-width-4.2.2.tgz
          • strip-ansi-6.0.0.tgz
            • ❌ ansi-regex-5.0.0.tgz (Vulnerable Library)

ansi-regex-4.1.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz

Path to dependency file: SPV3-Loader/package.json

Path to vulnerable library: SPV3-Loader/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• commitizen-4.2.4.tgz (Root Library)
  • inquirer-6.5.2.tgz
    • strip-ansi-5.2.0.tgz
      • ❌ ansi-regex-4.1.0.tgz (Vulnerable Library)

ansi-regex-3.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz

Path to dependency file: SPV3-Loader/package.json

Path to vulnerable library: SPV3-Loader/node_modules/string-width/node_modules/ansi-regex/package.json,SPV3-Loader/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json

Dependency Hierarchy:

• commitizen-4.2.4.tgz (Root Library)
  • inquirer-6.5.2.tgz
    • string-width-2.1.1.tgz
      • strip-ansi-4.0.0.tgz
        • ❌ ansi-regex-3.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 339c233f38fb804a26d33861aeb9011ccea53d79

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Step up your Open Source Security Game with WhiteSource here

They broke when MahApps.Metro package was upgraded
See https://mahapps.com/docs/guides/migration-to-v2.0#old,
https://mahapps.com/docs/guides/migration-to-v2.0#new

CVE-2020-7656 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: SPV3-Loader/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 339c233f38fb804a26d33861aeb9011ccea53d79

Found in base branch: main

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

Step up your Open Source Security Game with WhiteSource here

It aint working.
Toss it in the bin.
Toss the bin into dense, rapid traffic. Maybe onto a freeway or something.
Point, laugh, and cry.

NOTES

DEPENDENCIES, RELATED ISSUES

• HaloSPV3/HXE#217
• HaloSPV3/AmaiSosu#21
• Migrate GUI from WPF to Avalon
• Wine/Proton instructions and/or management
• Add SupportedPlatform attribute to Win32 API and Kernel interop. Add Linux equivalents when possible.
• Recommend users have https://github.com/FeralInteractive/gamemode installed or make it a package dependency.

RELATED LINKS

• WineHQ Application Entry for Halo SPV3
• CrossOver

KEY ISSUES

DEPENDENCY: MahApps.Metro

This GUI framework aids in the creation of Metro-styled GUIs. It is dependent on Window Presentation Framework.
This will be especially difficult to resolve.

Solution

Migrate from WPF to Avalonia

• HXE
• Gemini
• AmaiSosu

Windows Registry

See HaloSPV3/HXE#217

Steam

ROAD PLAN

There are two routes we can take to resolve this issue.

STOPGAP MEASURES

Platform-dependent code paths will be determined at runtime. This implies the following:

• Check the value of System.Environment.OSVersion.Platform to determine which OS we're running on. In most cases, we'll see either Win32NT or Unix. All possible values.

// This example demonstrates the PlatformID enumeration.
using System;

class Sample
{
    public static void Main()
    {
    string msg1 = "This is a Windows operating system.";
    string msg2 = "This is a Unix operating system.";
    string msg3 = "ERROR: This platform identifier is invalid.";

// Assume this example is run on a Windows operating system.

    OperatingSystem os = Environment.OSVersion;
    PlatformID     pid = os.Platform;
    switch (pid)
        {
        case PlatformID.Win32NT:
        case PlatformID.Win32S:
        case PlatformID.Win32Windows:
        case PlatformID.WinCE:
            Console.WriteLine(msg1);
            break;
        case PlatformID.Unix:
            Console.WriteLine(msg2);
            break;
        default:
            Console.WriteLine(msg3);
            break;
        }
    }
}
/*
This example produces the following results:

This is a Windows operating system.
*/

BUILD FOR EACH PLATFORM

• Compile apps as native Linux apps.
• Proton and WINE settings would be automated (or informed to the user) for convenience.
• WPF and WinForms would be replaced by Avalon UNO, .NET 6's MAUI, or another GUI framework to assist in maintaining our WPF-reliant, MahApps.Metro-powered GUI.
• All Windows Registry interaction would need to be disabled entirely or adapted to work with Proton and WINE. The Windows Registry is required to determine if Retail or Custom Edition was installed legally. How does Proton and WINE handle that?
  • All Registry interaction will be removed with SPV3.3.1.

Multi-Platform Alternatives to WPF/WinForms

• Avalonia
• GTK (GTK#)
• MAUI main repo does not have GTK bindings for Linux desktop compatibility. Some forks have bindings to GTK. MAUI does not support Windows 7.
• Qt (QtSharp or Qml.NET)
• UNO

Formerly tracked in HaloSPV3/HCE#249.

Some users want this because they are on very low-end PCs. Decal settings hit the hardest due to an issue in the DX9 pipeline since WinVista.
The quantity of decals in a scene drastically affects performance even on modern high-end systems.

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.8.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.1/jquery.min.js

Path to dependency file: SPV3-Loader/node_modules/redeyed/examples/browser/index.html

Path to vulnerable library: /node_modules/redeyed/examples/browser/index.html

Dependency Hierarchy:

• ❌ jquery-1.8.1.min.js (Vulnerable Library)

Found in HEAD commit: 339c233f38fb804a26d33861aeb9011ccea53d79

Found in base branch: main

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Step up your Open Source Security Game with WhiteSource here