@fabasoad/sarif-to-slack 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/security.yml +10 -2
- package/.github/workflows/send-sarif-to-slack.yml +6 -1
- package/.tool-versions +1 -1
- package/dist/SarifToSlackClient.js +1 -1
- package/dist/index.cjs +28 -14
- package/dist/model/Color.js +26 -16
- package/dist/representations/CompactGroupByRepresentation.js +1 -1
- package/dist/representations/CompactGroupByRunPerLevelRepresentation.js +1 -1
- package/dist/representations/CompactGroupByRunPerSeverityRepresentation.js +1 -1
- package/dist/representations/CompactGroupByRunRepresentation.js +1 -1
- package/dist/representations/CompactGroupBySarifRepresentation.js +1 -1
- package/dist/representations/CompactGroupByToolNameRepresentation.js +1 -1
- package/dist/representations/CompactTotalRepresentation.js +1 -1
- package/package.json +1 -1
- package/src/SarifToSlackClient.ts +1 -1
- package/src/model/Color.ts +27 -18
- package/src/representations/CompactGroupByRepresentation.ts +1 -1
- package/src/representations/CompactGroupByRunPerLevelRepresentation.ts +1 -1
- package/src/representations/CompactGroupByRunPerSeverityRepresentation.ts +1 -1
- package/src/representations/CompactGroupByRunRepresentation.ts +1 -1
- package/src/representations/CompactGroupBySarifRepresentation.ts +1 -1
- package/src/representations/CompactGroupByToolNameRepresentation.ts +1 -1
- package/src/representations/CompactTotalRepresentation.ts +1 -1
- package/test-data/sarif/osv-scanner-yarn.sarif +4 -4
- package/tests/integration/SendSarifToSlack.spec.ts +21 -4
|
@@ -6,6 +6,14 @@ on: # yamllint disable-line rule:truthy
|
|
|
6
6
|
push:
|
|
7
7
|
branches:
|
|
8
8
|
- main
|
|
9
|
+
workflow_dispatch:
|
|
10
|
+
inputs:
|
|
11
|
+
security-type:
|
|
12
|
+
description: What Security scanning you would like to run?
|
|
13
|
+
required: false
|
|
14
|
+
default: "all"
|
|
15
|
+
type: choice
|
|
16
|
+
options: ["all", "sca", "code-scanning"]
|
|
9
17
|
|
|
10
18
|
jobs:
|
|
11
19
|
sast:
|
|
@@ -15,5 +23,5 @@ jobs:
|
|
|
15
23
|
security-events: write
|
|
16
24
|
uses: fabasoad/reusable-workflows/.github/workflows/wf-security-sast.yml@main
|
|
17
25
|
with:
|
|
18
|
-
code-scanning:
|
|
19
|
-
sca:
|
|
26
|
+
code-scanning: ${{ (inputs.security-type || 'all') == 'all' || inputs.security-type == 'code-scanning' }}
|
|
27
|
+
sca: ${{ (inputs.security-type || 'all') == 'all' || inputs.security-type == 'sca' }}
|
|
@@ -281,8 +281,13 @@ jobs:
|
|
|
281
281
|
SARIF_TO_SLACK_USERNAME: "${{ inputs.username }}"
|
|
282
282
|
SARIF_TO_SLACK_ICON_URL: "https://cdn-icons-png.flaticon.com/512/9070/9070006.png"
|
|
283
283
|
SARIF_TO_SLACK_COLOR: "${{ inputs.color }}"
|
|
284
|
-
|
|
284
|
+
SARIF_TO_SLACK_COLOR_EMPTY: "#008000"
|
|
285
|
+
SARIF_TO_SLACK_SARIF_PATH: "test-data/sarif/${{ steps.sarif-file.outputs.value }}"
|
|
286
|
+
SARIF_TO_SLACK_SARIF_PATH_RECURSIVE: "false"
|
|
287
|
+
SARIF_TO_SLACK_SARIF_FILE_EXTENSION: "sarif"
|
|
285
288
|
SARIF_TO_SLACK_LOG_LEVEL: "${{ inputs.log-level }}"
|
|
289
|
+
SARIF_TO_SLACK_LOG_TEMPLATE: "[{{logLevelName}}] [{{name}}] {{dateIsoStr}} "
|
|
290
|
+
SARIF_TO_SLACK_LOG_COLORED: "true"
|
|
286
291
|
SARIF_TO_SLACK_HEADER: "${{ inputs.header }}"
|
|
287
292
|
SARIF_TO_SLACK_FOOTER: "${{ inputs.footer }}"
|
|
288
293
|
SARIF_TO_SLACK_ACTOR: "${{ inputs.actor }}"
|
package/.tool-versions
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
nodejs 24.
|
|
1
|
+
nodejs 24.6.0
|
|
@@ -173,4 +173,4 @@ export class SarifToSlackClient {
|
|
|
173
173
|
}
|
|
174
174
|
}
|
|
175
175
|
}
|
|
176
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
176
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiU2FyaWZUb1NsYWNrQ2xpZW50LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL1NhcmlmVG9TbGFja0NsaWVudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxJQUFJLEVBQUUsRUFBRSxNQUFNLElBQUksQ0FBQTtBQUVuQyxPQUFPLE1BQU0sTUFBTSxVQUFVLENBQUE7QUFDN0IsT0FBTyxFQU1MLGFBQWEsRUFDYixnQkFBZ0IsRUFDakIsTUFBTSxTQUFTLENBQUE7QUFDaEIsT0FBTyxNQUFNLE1BQU0sVUFBVSxDQUFBO0FBQzdCLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxNQUFNLG1CQUFtQixDQUFBO0FBQ3RELE9BQU8sRUFBRSxvQkFBb0IsRUFBRSxNQUFNLHlDQUF5QyxDQUFBO0FBQzlFLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQTtBQUMvQyxPQUFPLEVBQUUsaUJBQWlCLEVBQUUsdUJBQXVCLEVBQUUsTUFBTSxvQkFBb0IsQ0FBQTtBQUMvRSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sZUFBZSxDQUFBO0FBQzdDLE9BQU8sWUFBWSxNQUFNLHNCQUFzQixDQUFBO0FBQy9DLE9BQU8sRUFBRSxrQkFBa0IsRUFBZ0IsTUFBTSxzQkFBc0IsQ0FBQTtBQUN2RSxPQUFPLEVBQUUsTUFBTSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sZ0JBQWdCLENBQUE7QUFFekQ7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLGtCQUFrQjtJQUNyQixRQUFRLENBQWU7SUFDdkIsV0FBVyxDQUFhO0lBRXhCLE9BQU8sR0FBVyxNQUFNLENBQUMsTUFBTSxDQUFBO0lBRXZDLFlBQW9CLEdBQWdCO1FBQ2xDLE1BQU0sQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUE7UUFDdEIsTUFBTSxDQUFDLFVBQVUsRUFBRSxDQUFBO0lBQ3JCLENBQUM7SUFFTyxNQUFNLENBQUMsQ0FBQyxvQkFBb0I7UUFDbEMsSUFBSSxLQUFLLEdBQVcsQ0FBQyxDQUFBO1FBQ3JCLE9BQU8sSUFBSSxFQUFFLENBQUM7WUFDWixNQUFNLEtBQUssRUFBRSxDQUFBO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFTSxNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxJQUErQjtRQUN4RCxNQUFNLFFBQVEsR0FBRyxJQUFJLGtCQUFrQixDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQTtRQUNqRCxRQUFRLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLE9BQU8sQ0FBQTtRQUNsRCxRQUFRLENBQUMsV0FBVyxHQUFHLE1BQU0sa0JBQWtCLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQTtRQUN0RSxRQUFRLENBQUMsUUFBUSxHQUFHLE1BQU0sa0JBQWtCLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxXQUFXLEVBQUUsSUFBSSxDQUFDLENBQUE7UUFDbkYsT0FBTyxRQUFRLENBQUE7SUFDakIsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLFNBQXVCO1FBQ3JELE1BQU0sVUFBVSxHQUFhLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxDQUFBO1FBQzFELElBQUksVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUM1QixNQUFNLElBQUksS0FBSyxDQUFDLDhDQUE4QyxTQUFTLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQTtRQUNqRixDQUFDO1FBRUQsTUFBTSxLQUFLLEdBQWUsRUFBRSxVQUFVLEVBQUUsSUFBSSxFQUFFLEVBQUUsRUFBRSxRQUFRLEVBQUUsSUFBSSxZQUFZLEVBQUUsRUFBRSxDQUFBO1FBQ2hGLE1BQU0sY0FBYyxHQUFzQixrQkFBa0IsQ0FBQyxvQkFBb0IsRUFBRSxDQUFBO1FBQ25GLEtBQUssTUFBTSxTQUFTLElBQUksVUFBVSxFQUFFLENBQUM7WUFDbkMsTUFBTSxTQUFTLEdBQVcsTUFBTSxFQUFFLENBQUMsUUFBUSxDQUFDLFNBQVMsRUFBRSxNQUFNLENBQUMsQ0FBQTtZQUM5RCxNQUFNLFFBQVEsR0FBUSxJQUFJLENBQUMsS0FBSyxDQUFDLFNBQVMsQ0FBUSxDQUFBO1lBRWxELEtBQUssTUFBTSxHQUFHLElBQUksUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO2dCQUNoQyxNQUFNLEtBQUssR0FBMkIsY0FBYyxDQUFDLElBQUksRUFBRSxDQUFBO2dCQUMzRCxJQUFJLFdBQVcsR0FBd0IsU0FBUyxDQUFBO2dCQUNoRCxLQUFLLE1BQU0sTUFBTSxJQUFJLEdBQUcsQ0FBQyxPQUFPLElBQUksRUFBRSxFQUFFLENBQUM7b0JBQ3ZDLFdBQVcsR0FBRzt3QkFDWixFQUFFLEVBQUUsS0FBSyxDQUFDLEtBQUs7d0JBQ2YsR0FBRzt3QkFDSCxRQUFRLEVBQUUsaUJBQWlCLENBQUMsR0FBRyxFQUFFLE1BQU0sQ0FBQyxDQUFDLElBQUk7cUJBQzlDLENBQUE7b0JBQ0QsS0FBSyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLEVBQUUsU0FBUyxFQUFFLE1BQU0sRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUE7Z0JBQ3hFLENBQUM7Z0JBQ0QsV0FBVyxLQUFLO29CQUNkLEVBQUUsRUFBRSxLQUFLLENBQUMsS0FBSyxFQUFFLEdBQUcsRUFBRSxRQUFRLEVBQUUsdUJBQXVCLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSTtpQkFDbEUsQ0FBQTtnQkFDRCxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQTtZQUM5QixDQUFDO1FBQ0gsQ0FBQztRQUNELE9BQU8sS0FBSyxDQUFBO0lBQ2QsQ0FBQztJQUVEOzs7Ozs7OztPQVFHO0lBQ0ssTUFBTSxDQUFDLEtBQUssQ0FBQyxVQUFVLENBQzdCLFVBQXNCLEVBQ3RCLElBQWlFO1FBRWpFLE1BQU0sT0FBTyxHQUFpQixrQkFBa0IsQ0FBQyxJQUFJLENBQUMsVUFBVSxFQUFFO1lBQ2hFLFFBQVEsRUFBRSxJQUFJLENBQUMsUUFBUTtZQUN2QixPQUFPLEVBQUUsSUFBSSxDQUFDLE9BQU87WUFDckIsS0FBSyxFQUFFLGFBQWEsQ0FBQyxVQUFVLENBQUMsUUFBUSxFQUFFLElBQUksQ0FBQyxLQUFLLENBQUM7WUFDckQsY0FBYyxFQUFFLG9CQUFvQixDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsY0FBYyxDQUFDO1NBQ3RFLENBQUMsQ0FBQTtRQUNGLElBQUksSUFBSSxDQUFDLE1BQU0sRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUN6QixPQUFPLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsS0FBSyxDQUFDLENBQUE7UUFDeEMsQ0FBQztRQUNELElBQUksSUFBSSxDQUFDLE1BQU0sRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUN6QixPQUFPLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLElBQUksQ0FBQyxNQUFNLEVBQUUsSUFBSSxDQUFDLENBQUE7UUFDM0QsQ0FBQztRQUNELElBQUksSUFBSSxDQUFDLEtBQUssRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUN4QixPQUFPLENBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxLQUFLLEVBQUUsS0FBSyxDQUFDLENBQUE7UUFDdEMsQ0FBQztRQUNELElBQUksSUFBSSxDQUFDLEdBQUcsRUFBRSxPQUFPLEVBQUUsQ0FBQztZQUN0QixPQUFPLENBQUMsT0FBTyxFQUFFLENBQUE7UUFDbkIsQ0FBQztRQUNELE9BQU8sT0FBTyxDQUFBO0lBQ2hCLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNJLEtBQUssQ0FBQyxJQUFJO1FBQ2YsSUFBSSxJQUFJLENBQUMsV0FBVyxJQUFJLElBQUksRUFBRSxDQUFDO1lBQzdCLE1BQU0sSUFBSSxLQUFLLENBQUMsZ0NBQWdDLENBQUMsQ0FBQTtRQUNuRCxDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUMzQixJQUFJLElBQUksQ0FBQyxRQUFRLElBQUksSUFBSSxFQUFFLENBQUM7Z0JBQzFCLE1BQU0sSUFBSSxLQUFLLENBQUMsaUNBQWlDLENBQUMsQ0FBQTtZQUNwRCxDQUFDO1lBQ0QsTUFBTSxJQUFJLEdBQVcsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxDQUFBO1lBQy9DLE1BQU0sQ0FBQyxJQUFJLENBQUMsdUJBQXVCLEVBQUUsSUFBSSxDQUFDLENBQUE7UUFDNUMsQ0FBQzthQUFNLENBQUM7WUFDTixNQUFNLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFBO1FBQzdDLENBQUM7SUFDSCxDQUFDO0lBRUQsSUFBWSxpQkFBaUI7UUFDM0IsSUFBSSxJQUFJLENBQUMsT0FBTyxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ3pCLE9BQU8sSUFBSSxDQUFBO1FBQ2IsQ0FBQztRQUVELFFBQVEsSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ3JCLEtBQUssTUFBTSxDQUFDLGdCQUFnQjtnQkFDMUIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxJQUFJLElBQUksQ0FBQTtZQUNqRyxLQUFLLE1BQU0sQ0FBQyxZQUFZO2dCQUN0QixPQUFPLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxDQUFBO1lBQzdGLEtBQUssTUFBTSxDQUFDLG9CQUFvQjtnQkFDOUIsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsbUJBQW1CLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLENBQUE7WUFDaEYsS0FBSyxNQUFNLENBQUMsY0FBYztnQkFDeEIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxJQUFJLElBQUksQ0FBQTtZQUMvRixLQUFLLE1BQU0sQ0FBQyxzQkFBc0I7Z0JBQ2hDLE9BQU8sQ0FBQyxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLG1CQUFtQixDQUFDLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxDQUFBO1lBQ2xGLEtBQUssTUFBTSxDQUFDLFdBQVc7Z0JBQ3JCLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDNUYsS0FBSyxNQUFNLENBQUMsbUJBQW1CO2dCQUM3QixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxtQkFBbUIsQ0FBQyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsQ0FBQTtZQUMvRSxLQUFLLE1BQU0sQ0FBQyxZQUFZO2dCQUN0QixPQUFPLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxDQUFBO1lBQzdGLEtBQUssTUFBTSxDQUFDLG9CQUFvQjtnQkFDOUIsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsbUJBQW1CLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLENBQUE7WUFDaEYsS0FBSyxNQUFNLENBQUMsZUFBZTtnQkFDekIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxJQUFJLElBQUksQ0FBQTtZQUNoRyxLQUFLLE1BQU0sQ0FBQyx1QkFBdUI7Z0JBQ2pDLE9BQU8sQ0FBQyxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLG1CQUFtQixDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxDQUFBO1lBQ25GLEtBQUssTUFBTSxDQUFDLFVBQVU7Z0JBQ3BCLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsS0FBSyxDQUFDLElBQUksSUFBSSxDQUFBO1lBQ3hGLEtBQUssTUFBTSxDQUFDLFlBQVk7Z0JBQ3RCLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsT0FBTyxDQUFDLElBQUksSUFBSSxDQUFBO1lBQzFGLEtBQUssTUFBTSxDQUFDLG9CQUFvQjtnQkFDOUIsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsZ0JBQWdCLENBQUMsYUFBYSxDQUFDLE9BQU8sQ0FBQyxDQUFBO1lBQzdFLEtBQUssTUFBTSxDQUFDLFNBQVM7Z0JBQ25CLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxDQUFBO1lBQ3ZGLEtBQUssTUFBTSxDQUFDLGlCQUFpQjtnQkFDM0IsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsZ0JBQWdCLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxDQUFBO1lBQzFFLEtBQUssTUFBTSxDQUFDLFNBQVM7Z0JBQ25CLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxDQUFBO1lBQ3ZGLEtBQUssTUFBTSxDQUFDLGlCQUFpQjtnQkFDM0IsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsZ0JBQWdCLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxDQUFBO1lBQzFFLEtBQUssTUFBTSxDQUFDLFlBQVk7Z0JBQ3RCLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsT0FBTyxDQUFDLElBQUksSUFBSSxDQUFBO1lBQzFGLEtBQUssTUFBTSxDQUFDLG9CQUFvQjtnQkFDOUIsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsZ0JBQWdCLENBQUMsYUFBYSxDQUFDLE9BQU8sQ0FBQyxDQUFBO1lBQzdFLEtBQUssTUFBTSxDQUFDLE1BQU07Z0JBQ2hCLE9BQU8sSUFBSSxDQUFBO1lBQ2IsS0FBSyxNQUFNLENBQUMsSUFBSTtnQkFDZCxPQUFPLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsTUFBTSxJQUFJLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQTtZQUNyRCxLQUFLLE1BQU0sQ0FBQyxLQUFLO2dCQUNmLE9BQU8sQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxNQUFNLElBQUksQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFBO1lBQ3ZELEtBQUssTUFBTSxDQUFDLEtBQUs7Z0JBQ2YsT0FBTyxLQUFLLENBQUE7WUFDZDtnQkFDRSxNQUFNLElBQUksS0FBSyxDQUFDLDZCQUE2QixJQUFJLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQTtRQUNoRSxDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=
|
package/dist/index.cjs
CHANGED
|
@@ -129,16 +129,16 @@ var Color = class {
|
|
|
129
129
|
}
|
|
130
130
|
}
|
|
131
131
|
};
|
|
132
|
-
function identifyColorCommon(findings, prop, none, unknown, color
|
|
132
|
+
function identifyColorCommon(findings, prop, none, unknown, color) {
|
|
133
133
|
if (color.none != null && findings.findByProperty(prop, none) != null) {
|
|
134
134
|
return color.none.value;
|
|
135
135
|
}
|
|
136
136
|
if (color.unknown != null && findings.findByProperty(prop, unknown) != null) {
|
|
137
137
|
return color.unknown.value;
|
|
138
138
|
}
|
|
139
|
-
return
|
|
139
|
+
return void 0;
|
|
140
140
|
}
|
|
141
|
-
function identifyColorBySeverity(findings, color
|
|
141
|
+
function identifyColorBySeverity(findings, color) {
|
|
142
142
|
if (color.critical != null && findings.findByProperty("severity", 5 /* Critical */) != null) {
|
|
143
143
|
return color.critical.value;
|
|
144
144
|
}
|
|
@@ -151,9 +151,9 @@ function identifyColorBySeverity(findings, color, defaultColor) {
|
|
|
151
151
|
if (color.low != null && findings.findByProperty("severity", 2 /* Low */) != null) {
|
|
152
152
|
return color.low.value;
|
|
153
153
|
}
|
|
154
|
-
return identifyColorCommon(findings, "severity", 1 /* None */, 0 /* Unknown */, color
|
|
154
|
+
return identifyColorCommon(findings, "severity", 1 /* None */, 0 /* Unknown */, color);
|
|
155
155
|
}
|
|
156
|
-
function identifyColorByLevel(findings, color
|
|
156
|
+
function identifyColorByLevel(findings, color) {
|
|
157
157
|
if (color.error != null && findings.findByProperty("level", 4 /* Error */) != null) {
|
|
158
158
|
return color.error.value;
|
|
159
159
|
}
|
|
@@ -163,14 +163,28 @@ function identifyColorByLevel(findings, color, defaultColor) {
|
|
|
163
163
|
if (color.note != null && findings.findByProperty("level", 2 /* Note */) != null) {
|
|
164
164
|
return color.note.value;
|
|
165
165
|
}
|
|
166
|
-
return identifyColorCommon(findings, "level", 1 /* None */, 0 /* Unknown */, color
|
|
166
|
+
return identifyColorCommon(findings, "level", 1 /* None */, 0 /* Unknown */, color);
|
|
167
167
|
}
|
|
168
168
|
function identifyColor(findings, colorOpts) {
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
169
|
+
if (!colorOpts) {
|
|
170
|
+
return void 0;
|
|
171
|
+
}
|
|
172
|
+
if (colorOpts.bySeverity) {
|
|
173
|
+
const color = identifyColorBySeverity(findings, colorOpts.bySeverity);
|
|
174
|
+
if (color !== void 0) {
|
|
175
|
+
return color;
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
if (colorOpts.byLevel) {
|
|
179
|
+
const color = identifyColorByLevel(findings, colorOpts.byLevel);
|
|
180
|
+
if (color !== void 0) {
|
|
181
|
+
return color;
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
if (findings.length === 0 && colorOpts.empty?.value !== void 0) {
|
|
185
|
+
return colorOpts.empty.value;
|
|
186
|
+
}
|
|
187
|
+
return colorOpts?.default?.value;
|
|
174
188
|
}
|
|
175
189
|
|
|
176
190
|
// src/model/SendIf.ts
|
|
@@ -260,9 +274,9 @@ function sendIfLogMessage(sendIf) {
|
|
|
260
274
|
var import_webhook = require("@slack/webhook");
|
|
261
275
|
|
|
262
276
|
// src/metadata.json
|
|
263
|
-
var version = "1.2.
|
|
264
|
-
var sha = "
|
|
265
|
-
var buildAt = "2025-08-
|
|
277
|
+
var version = "1.2.1";
|
|
278
|
+
var sha = "bc366246587f5b1994f9ff015c5b9985041a05dc";
|
|
279
|
+
var buildAt = "2025-08-17T14:51:24Z";
|
|
266
280
|
|
|
267
281
|
// src/model/SlackMessage.ts
|
|
268
282
|
function createSlackMessage(url, opts) {
|
package/dist/model/Color.js
CHANGED
|
@@ -47,16 +47,16 @@ export class Color {
|
|
|
47
47
|
}
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
-
function identifyColorCommon(findings, prop, none, unknown, color
|
|
50
|
+
function identifyColorCommon(findings, prop, none, unknown, color) {
|
|
51
51
|
if (color.none != null && findings.findByProperty(prop, none) != null) {
|
|
52
52
|
return color.none.value;
|
|
53
53
|
}
|
|
54
54
|
if (color.unknown != null && findings.findByProperty(prop, unknown) != null) {
|
|
55
55
|
return color.unknown.value;
|
|
56
56
|
}
|
|
57
|
-
return
|
|
57
|
+
return undefined;
|
|
58
58
|
}
|
|
59
|
-
function identifyColorBySeverity(findings, color
|
|
59
|
+
function identifyColorBySeverity(findings, color) {
|
|
60
60
|
if (color.critical != null && findings.findByProperty('severity', SecuritySeverity.Critical) != null) {
|
|
61
61
|
return color.critical.value;
|
|
62
62
|
}
|
|
@@ -69,9 +69,9 @@ function identifyColorBySeverity(findings, color, defaultColor) {
|
|
|
69
69
|
if (color.low != null && findings.findByProperty('severity', SecuritySeverity.Low) != null) {
|
|
70
70
|
return color.low.value;
|
|
71
71
|
}
|
|
72
|
-
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color
|
|
72
|
+
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color);
|
|
73
73
|
}
|
|
74
|
-
function identifyColorByLevel(findings, color
|
|
74
|
+
function identifyColorByLevel(findings, color) {
|
|
75
75
|
if (color.error != null && findings.findByProperty('level', SecurityLevel.Error) != null) {
|
|
76
76
|
return color.error.value;
|
|
77
77
|
}
|
|
@@ -81,7 +81,7 @@ function identifyColorByLevel(findings, color, defaultColor) {
|
|
|
81
81
|
if (color.note != null && findings.findByProperty('level', SecurityLevel.Note) != null) {
|
|
82
82
|
return color.note.value;
|
|
83
83
|
}
|
|
84
|
-
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color
|
|
84
|
+
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color);
|
|
85
85
|
}
|
|
86
86
|
/**
|
|
87
87
|
* Makes an ultimate decision on what color should be Slack message. The decision
|
|
@@ -92,14 +92,24 @@ function identifyColorByLevel(findings, color, defaultColor) {
|
|
|
92
92
|
* @internal
|
|
93
93
|
*/
|
|
94
94
|
export function identifyColor(findings, colorOpts) {
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
95
|
+
if (!colorOpts) {
|
|
96
|
+
return undefined;
|
|
97
|
+
}
|
|
98
|
+
if (colorOpts.bySeverity) {
|
|
99
|
+
const color = identifyColorBySeverity(findings, colorOpts.bySeverity);
|
|
100
|
+
if (color !== undefined) {
|
|
101
|
+
return color;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
if (colorOpts.byLevel) {
|
|
105
|
+
const color = identifyColorByLevel(findings, colorOpts.byLevel);
|
|
106
|
+
if (color !== undefined) {
|
|
107
|
+
return color;
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
if (findings.length === 0 && colorOpts.empty?.value !== undefined) {
|
|
111
|
+
return colorOpts.empty.value;
|
|
112
|
+
}
|
|
113
|
+
return colorOpts?.default?.value;
|
|
104
114
|
}
|
|
105
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
115
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29sb3IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvbW9kZWwvQ29sb3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGFBQWEsRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLFVBQVUsQ0FBQTtBQUkxRDs7O0dBR0c7QUFDSCxNQUFNLE9BQU8sS0FBSztJQUNDLE1BQU0sQ0FBUztJQUVoQzs7Ozs7Ozs7T0FRRztJQUNILFlBQW1CLEtBQWM7UUFDL0IsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBO1FBQ2xDLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQTtJQUN2QixDQUFDO0lBRUQ7O09BRUc7SUFDSCxJQUFXLEtBQUs7UUFDZCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUE7SUFDcEIsQ0FBQztJQUVPLGNBQWM7UUFDcEIsSUFBSSxJQUFJLENBQUMsTUFBTSxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ3hCLE1BQU0sYUFBYSxHQUFHLG9FQUFvRSxDQUFBO1lBRTFGLElBQUksQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO2dCQUNyQyxNQUFNLElBQUksS0FBSyxDQUFDLHVCQUF1QixJQUFJLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQTtZQUN4RCxDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFTyxRQUFRLENBQUMsSUFBYTtRQUM1QixRQUFRLElBQUksRUFBRSxDQUFDO1lBQ2IsS0FBSyxTQUFTO2dCQUNaLE9BQU8sU0FBUyxDQUFBO1lBQ2xCLEtBQUssU0FBUztnQkFDWixPQUFPLFNBQVMsQ0FBQTtZQUNsQixLQUFLLFdBQVc7Z0JBQ2QsT0FBTyxTQUFTLENBQUE7WUFDbEIsS0FBSyxTQUFTO2dCQUNaLE9BQU8sU0FBUyxDQUFBO1lBQ2xCO2dCQUNFLE9BQU8sSUFBSSxDQUFBO1FBQ2YsQ0FBQztJQUNILENBQUM7Q0FDRjtBQWdFRCxTQUFTLG1CQUFtQixDQUMxQixRQUFzQixFQUN0QixJQUFPLEVBQ1AsSUFBZ0IsRUFDaEIsT0FBbUIsRUFDbkIsS0FBdUI7SUFFdkIsSUFBSSxLQUFLLENBQUMsSUFBSSxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUN0RSxPQUFPLEtBQUssQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFBO0lBQ3pCLENBQUM7SUFFRCxJQUFJLEtBQUssQ0FBQyxPQUFPLElBQUksSUFBSSxJQUFJLFFBQVEsQ0FBQyxjQUFjLENBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQzVFLE9BQU8sS0FBSyxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUE7SUFDNUIsQ0FBQztJQUVELE9BQU8sU0FBUyxDQUFBO0FBQ2xCLENBQUM7QUFFRCxTQUFTLHVCQUF1QixDQUFDLFFBQXNCLEVBQUUsS0FBMkI7SUFDbEYsSUFBSSxLQUFLLENBQUMsUUFBUSxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUNyRyxPQUFPLEtBQUssQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFBO0lBQzdCLENBQUM7SUFFRCxJQUFJLEtBQUssQ0FBQyxJQUFJLElBQUksSUFBSSxJQUFJLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLElBQUksQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQzdGLE9BQU8sS0FBSyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUE7SUFDekIsQ0FBQztJQUVELElBQUksS0FBSyxDQUFDLE1BQU0sSUFBSSxJQUFJLElBQUksUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDakcsT0FBTyxLQUFLLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQTtJQUMzQixDQUFDO0lBRUQsSUFBSSxLQUFLLENBQUMsR0FBRyxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUMzRixPQUFPLEtBQUssQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFBO0lBQ3hCLENBQUM7SUFFRCxPQUFPLG1CQUFtQixDQUFDLFFBQVEsRUFBRSxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsSUFBSSxFQUFFLGdCQUFnQixDQUFDLE9BQU8sRUFBRSxLQUFLLENBQUMsQ0FBQTtBQUMxRyxDQUFDO0FBRUQsU0FBUyxvQkFBb0IsQ0FBQyxRQUFzQixFQUFFLEtBQXdCO0lBQzVFLElBQUksS0FBSyxDQUFDLEtBQUssSUFBSSxJQUFJLElBQUksUUFBUSxDQUFDLGNBQWMsQ0FBQyxPQUFPLEVBQUUsYUFBYSxDQUFDLEtBQUssQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3pGLE9BQU8sS0FBSyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUE7SUFDMUIsQ0FBQztJQUVELElBQUksS0FBSyxDQUFDLE9BQU8sSUFBSSxJQUFJLElBQUksUUFBUSxDQUFDLGNBQWMsQ0FBQyxPQUFPLEVBQUUsYUFBYSxDQUFDLE9BQU8sQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQzdGLE9BQU8sS0FBSyxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUE7SUFDNUIsQ0FBQztJQUVELElBQUksS0FBSyxDQUFDLElBQUksSUFBSSxJQUFJLElBQUksUUFBUSxDQUFDLGNBQWMsQ0FBQyxPQUFPLEVBQUUsYUFBYSxDQUFDLElBQUksQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3ZGLE9BQU8sS0FBSyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUE7SUFDekIsQ0FBQztJQUVELE9BQU8sbUJBQW1CLENBQUMsUUFBUSxFQUFFLE9BQU8sRUFBRSxhQUFhLENBQUMsSUFBSSxFQUFFLGFBQWEsQ0FBQyxPQUFPLEVBQUUsS0FBSyxDQUFDLENBQUE7QUFDakcsQ0FBQztBQUVEOzs7Ozs7O0dBT0c7QUFDSCxNQUFNLFVBQVUsYUFBYSxDQUFDLFFBQXNCLEVBQUUsU0FBd0I7SUFDNUUsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1FBQ2YsT0FBTyxTQUFTLENBQUE7SUFDbEIsQ0FBQztJQUVELElBQUksU0FBUyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ3pCLE1BQU0sS0FBSyxHQUF1Qix1QkFBdUIsQ0FBQyxRQUFRLEVBQUUsU0FBUyxDQUFDLFVBQVUsQ0FBQyxDQUFBO1FBQ3pGLElBQUksS0FBSyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3hCLE9BQU8sS0FBSyxDQUFBO1FBQ2QsQ0FBQztJQUNILENBQUM7SUFFRCxJQUFJLFNBQVMsQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUN0QixNQUFNLEtBQUssR0FBdUIsb0JBQW9CLENBQUMsUUFBUSxFQUFFLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQTtRQUNuRixJQUFJLEtBQUssS0FBSyxTQUFTLEVBQUUsQ0FBQztZQUN4QixPQUFPLEtBQUssQ0FBQTtRQUNkLENBQUM7SUFDSCxDQUFDO0lBRUQsSUFBSSxRQUFRLENBQUMsTUFBTSxLQUFLLENBQUMsSUFBSSxTQUFTLENBQUMsS0FBSyxFQUFFLEtBQUssS0FBSyxTQUFTLEVBQUUsQ0FBQztRQUNsRSxPQUFPLFNBQVMsQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFBO0lBQzlCLENBQUM7SUFFRCxPQUFPLFNBQVMsRUFBRSxPQUFPLEVBQUUsS0FBSyxDQUFBO0FBQ2xDLENBQUMifQ==
|
|
@@ -55,4 +55,4 @@ export default class CompactGroupByRepresentation extends Representation {
|
|
|
55
55
|
}
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
58
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29tcGFjdEdyb3VwQnlSZXByZXNlbnRhdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9yZXByZXNlbnRhdGlvbnMvQ29tcGFjdEdyb3VwQnlSZXByZXNlbnRhdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLGNBQWMsTUFBTSxrQkFBa0IsQ0FBQTtBQUU3QyxPQUFPLEVBQUUsdUJBQXVCLEVBQUUsTUFBTSxzQkFBc0IsQ0FBQTtBQUM5RCxPQUFPLEVBQUUsYUFBYSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sVUFBVSxDQUFBO0FBRTFELE1BQU0sbUJBQW1CLEdBQUcsMEJBQTBCLENBQUE7QUFFdEQ7Ozs7Ozs7Ozs7Ozs7Ozs7R0FnQkc7QUFDSCxNQUFNLENBQUMsT0FBTyxPQUFnQiw0QkFBNkIsU0FBUSxjQUFjO0lBSXJFLGlCQUFpQixDQUFzRCxHQUFNO1FBQ3JGLE1BQU0sT0FBTyxHQUEyQixJQUFJLENBQUMsYUFBYSxFQUFFLENBQUE7UUFDNUQsSUFBSSxPQUFPLENBQUMsSUFBSSxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ3ZCLE9BQU8sbUJBQW1CLENBQUE7UUFDNUIsQ0FBQztRQUVELE9BQU8sS0FBSyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7YUFDdkIsR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEVBQUUsUUFBUSxDQUFzQixFQUFVLEVBQUU7WUFDdEQsUUFBUSxDQUFDLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFBO1lBQzNDLE1BQU0sT0FBTyxHQUNYLFFBQVEsQ0FBQyxNQUFNLEtBQUssQ0FBQztnQkFDckIsQ0FBQyxDQUFDLG1CQUFtQjtnQkFDckIsQ0FBQyxDQUFDLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsR0FBRyxDQUFDLENBQUE7WUFDNUMsT0FBTyxHQUFHLEtBQUssS0FBSyxPQUFPLEVBQUUsQ0FBQTtRQUMvQixDQUFDLENBQUM7YUFDRCxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUE7SUFDakIsQ0FBQztJQUVPLG9CQUFvQixDQUFzRCxRQUFtQixFQUFFLEdBQU07UUFDM0csT0FBTyxNQUFNO2FBQ1YsT0FBTyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBVSxFQUFlLEVBQUUsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFnQixDQUFDLENBQUM7YUFDckYsR0FBRyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsU0FBUyxDQUFrQyxFQUFzQixFQUFFO1lBQzlFLElBQUksU0FBUyxJQUFJLElBQUksRUFBRSxDQUFDO2dCQUN0QixPQUFPLFNBQVMsQ0FBQTtZQUNsQixDQUFDO1lBQ0QsT0FBTyxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsRUFBRSxJQUFJLENBQUMsQ0FBQyxLQUFLLFNBQVMsQ0FBQyxNQUFNLEVBQUUsQ0FBQTtRQUM5RSxDQUFDLENBQUM7YUFDRCxNQUFNLENBQUMsQ0FBQyxDQUFxQixFQUFlLEVBQUUsQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDO2FBQ3pELElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQTtJQUNmLENBQUM7SUFFTyxnQkFBZ0IsQ0FBc0QsR0FBTSxFQUFFLElBQVk7UUFDaEcsUUFBUSxHQUFHLEVBQUUsQ0FBQztZQUNaLEtBQUssT0FBTyxDQUFDLENBQUMsT0FBTyxhQUFhLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUE7WUFDaEQsS0FBSyxVQUFVLENBQUMsQ0FBQyxPQUFPLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFBO1lBQ3RELE9BQU8sQ0FBQyxDQUFDLE1BQU0sSUFBSSxLQUFLLENBQUMsbUJBQW1CLEVBQUUsR0FBRyxDQUFDLENBQUE7UUFDcEQsQ0FBQztJQUNILENBQUM7Q0FDRiJ9
|
|
@@ -10,4 +10,4 @@ export default class CompactGroupByRunPerLevelRepresentation extends CompactGrou
|
|
|
10
10
|
return this.composeByProperty('level');
|
|
11
11
|
}
|
|
12
12
|
}
|
|
13
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
13
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29tcGFjdEdyb3VwQnlSdW5QZXJMZXZlbFJlcHJlc2VudGF0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3JlcHJlc2VudGF0aW9ucy9Db21wYWN0R3JvdXBCeVJ1blBlckxldmVsUmVwcmVzZW50YXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTywrQkFBK0IsTUFBTSxtQ0FBbUMsQ0FBQTtBQUUvRTs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxPQUFPLE9BQU8sdUNBQXdDLFNBQVEsK0JBQStCO0lBRWxGLE9BQU87UUFDckIsT0FBTyxJQUFJLENBQUMsaUJBQWlCLENBQUMsT0FBTyxDQUFDLENBQUE7SUFDeEMsQ0FBQztDQUNGIn0=
|
|
@@ -10,4 +10,4 @@ export default class CompactGroupByRunPerSeverityRepresentation extends CompactG
|
|
|
10
10
|
return this.composeByProperty('severity');
|
|
11
11
|
}
|
|
12
12
|
}
|
|
13
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
13
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29tcGFjdEdyb3VwQnlSdW5QZXJTZXZlcml0eVJlcHJlc2VudGF0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3JlcHJlc2VudGF0aW9ucy9Db21wYWN0R3JvdXBCeVJ1blBlclNldmVyaXR5UmVwcmVzZW50YXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTywrQkFBK0IsTUFBTSxtQ0FBbUMsQ0FBQTtBQUUvRTs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxPQUFPLE9BQU8sMENBQTJDLFNBQVEsK0JBQStCO0lBRXJGLE9BQU87UUFDckIsT0FBTyxJQUFJLENBQUMsaUJBQWlCLENBQUMsVUFBVSxDQUFDLENBQUE7SUFDM0MsQ0FBQztDQUNGIn0=
|
|
@@ -10,10 +10,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
10
10
|
* [Run 2] Grype
|
|
11
11
|
* Warning: 1, Note: 20
|
|
12
12
|
* ```
|
|
13
|
-
* @internal
|
|
14
13
|
* It is an abstract class, so the only question that derived classes should
|
|
15
14
|
* "answer" is what property should be used in the compact representation, such
|
|
16
15
|
* as "level" and "severity".
|
|
16
|
+
* @internal
|
|
17
17
|
*/
|
|
18
18
|
export default class CompactGroupByRunRepresentation extends CompactGroupByRepresentation {
|
|
19
19
|
constructor(model) {
|
|
@@ -11,10 +11,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
11
11
|
* grype-results-02.sarif
|
|
12
12
|
* Warning: 1, Note: 20
|
|
13
13
|
* ```
|
|
14
|
-
* @internal
|
|
15
14
|
* It is an abstract class, so the only question that derived classes should
|
|
16
15
|
* "answer" is what property should be used in the compact representation, such
|
|
17
16
|
* as "level" and "severity".
|
|
17
|
+
* @internal
|
|
18
18
|
*/
|
|
19
19
|
export default class CompactGroupBySarifRepresentation extends CompactGroupByRepresentation {
|
|
20
20
|
constructor(model) {
|
|
@@ -10,10 +10,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
10
10
|
* Trivy
|
|
11
11
|
* Warning: 1, Note: 20
|
|
12
12
|
* ```
|
|
13
|
-
* @internal
|
|
14
13
|
* It is an abstract class, so the only question that derived classes should
|
|
15
14
|
* "answer" is what property should be used in the compact representation, such
|
|
16
15
|
* as "level" and "severity".
|
|
16
|
+
* @internal
|
|
17
17
|
*/
|
|
18
18
|
export default class CompactGroupByToolNameRepresentation extends CompactGroupByRepresentation {
|
|
19
19
|
constructor(model) {
|
|
@@ -8,10 +8,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
8
8
|
* Total
|
|
9
9
|
* Warning: 1, Note: 20
|
|
10
10
|
* ```
|
|
11
|
-
* @internal
|
|
12
11
|
* It is an abstract class, so the only question that derived classes should
|
|
13
12
|
* "answer" is what property should be used in the compact representation, such
|
|
14
13
|
* as "level" and "severity".
|
|
14
|
+
* @internal
|
|
15
15
|
*/
|
|
16
16
|
export default class CompactTotalRepresentation extends CompactGroupByRepresentation {
|
|
17
17
|
groupFindings() {
|
package/package.json
CHANGED
|
@@ -47,7 +47,7 @@ export class SarifToSlackClient {
|
|
|
47
47
|
instance._sendIf = opts.sendIf ?? instance._sendIf
|
|
48
48
|
instance._sarifModel = await SarifToSlackClient.buildModel(opts.sarif)
|
|
49
49
|
instance._message = await SarifToSlackClient.initialize(instance._sarifModel, opts)
|
|
50
|
-
return instance
|
|
50
|
+
return instance
|
|
51
51
|
}
|
|
52
52
|
|
|
53
53
|
private static async buildModel(sarifOpts: SarifOptions): Promise<SarifModel> {
|
package/src/model/Color.ts
CHANGED
|
@@ -32,10 +32,10 @@ export class Color {
|
|
|
32
32
|
|
|
33
33
|
private assertHexColor(): void {
|
|
34
34
|
if (this._color != null) {
|
|
35
|
-
const hexColorRegex = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})
|
|
35
|
+
const hexColorRegex = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/
|
|
36
36
|
|
|
37
37
|
if (!hexColorRegex.test(this._color)) {
|
|
38
|
-
throw new Error(`Invalid hex color: "${this._color}"`)
|
|
38
|
+
throw new Error(`Invalid hex color: "${this._color}"`)
|
|
39
39
|
}
|
|
40
40
|
}
|
|
41
41
|
}
|
|
@@ -123,8 +123,7 @@ function identifyColorCommon<K extends keyof Finding>(
|
|
|
123
123
|
prop: K,
|
|
124
124
|
none: Finding[K],
|
|
125
125
|
unknown: Finding[K],
|
|
126
|
-
color: ColorGroupCommon
|
|
127
|
-
defaultColor?: Color
|
|
126
|
+
color: ColorGroupCommon
|
|
128
127
|
): string | undefined {
|
|
129
128
|
if (color.none != null && findings.findByProperty(prop, none) != null) {
|
|
130
129
|
return color.none.value
|
|
@@ -134,10 +133,10 @@ function identifyColorCommon<K extends keyof Finding>(
|
|
|
134
133
|
return color.unknown.value
|
|
135
134
|
}
|
|
136
135
|
|
|
137
|
-
return
|
|
136
|
+
return undefined
|
|
138
137
|
}
|
|
139
138
|
|
|
140
|
-
function identifyColorBySeverity(findings: FindingArray, color: ColorGroupBySeverity
|
|
139
|
+
function identifyColorBySeverity(findings: FindingArray, color: ColorGroupBySeverity): string | undefined {
|
|
141
140
|
if (color.critical != null && findings.findByProperty('severity', SecuritySeverity.Critical) != null) {
|
|
142
141
|
return color.critical.value
|
|
143
142
|
}
|
|
@@ -154,10 +153,10 @@ function identifyColorBySeverity(findings: FindingArray, color: ColorGroupBySeve
|
|
|
154
153
|
return color.low.value
|
|
155
154
|
}
|
|
156
155
|
|
|
157
|
-
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color
|
|
156
|
+
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color)
|
|
158
157
|
}
|
|
159
158
|
|
|
160
|
-
function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel
|
|
159
|
+
function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel): string | undefined {
|
|
161
160
|
if (color.error != null && findings.findByProperty('level', SecurityLevel.Error) != null) {
|
|
162
161
|
return color.error.value
|
|
163
162
|
}
|
|
@@ -170,7 +169,7 @@ function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel,
|
|
|
170
169
|
return color.note.value
|
|
171
170
|
}
|
|
172
171
|
|
|
173
|
-
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color
|
|
172
|
+
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color)
|
|
174
173
|
}
|
|
175
174
|
|
|
176
175
|
/**
|
|
@@ -182,17 +181,27 @@ function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel,
|
|
|
182
181
|
* @internal
|
|
183
182
|
*/
|
|
184
183
|
export function identifyColor(findings: FindingArray, colorOpts?: ColorOptions): string | undefined {
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
184
|
+
if (!colorOpts) {
|
|
185
|
+
return undefined
|
|
186
|
+
}
|
|
188
187
|
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
188
|
+
if (colorOpts.bySeverity) {
|
|
189
|
+
const color: string | undefined = identifyColorBySeverity(findings, colorOpts.bySeverity)
|
|
190
|
+
if (color !== undefined) {
|
|
191
|
+
return color
|
|
192
|
+
}
|
|
193
|
+
}
|
|
192
194
|
|
|
193
|
-
|
|
195
|
+
if (colorOpts.byLevel) {
|
|
196
|
+
const color: string | undefined = identifyColorByLevel(findings, colorOpts.byLevel)
|
|
197
|
+
if (color !== undefined) {
|
|
198
|
+
return color
|
|
199
|
+
}
|
|
200
|
+
}
|
|
194
201
|
|
|
195
|
-
|
|
202
|
+
if (findings.length === 0 && colorOpts.empty?.value !== undefined) {
|
|
203
|
+
return colorOpts.empty.value
|
|
204
|
+
}
|
|
196
205
|
|
|
197
|
-
return
|
|
206
|
+
return colorOpts?.default?.value
|
|
198
207
|
}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import Representation from './Representation'
|
|
2
2
|
import Finding from '../model/Finding'
|
|
3
3
|
import { findingsComparatorByKey } from '../utils/Comparators'
|
|
4
|
-
import { SecurityLevel, SecuritySeverity } from '../types'
|
|
4
|
+
import { SecurityLevel, SecuritySeverity } from '../types'
|
|
5
5
|
|
|
6
6
|
const NO_VULNS_FOUND_TEXT = 'No vulnerabilities found'
|
|
7
7
|
|
|
@@ -13,10 +13,10 @@ import { SarifModel } from '../types'
|
|
|
13
13
|
* [Run 2] Grype
|
|
14
14
|
* Warning: 1, Note: 20
|
|
15
15
|
* ```
|
|
16
|
-
* @internal
|
|
17
16
|
* It is an abstract class, so the only question that derived classes should
|
|
18
17
|
* "answer" is what property should be used in the compact representation, such
|
|
19
18
|
* as "level" and "severity".
|
|
19
|
+
* @internal
|
|
20
20
|
*/
|
|
21
21
|
export default abstract class CompactGroupByRunRepresentation extends CompactGroupByRepresentation {
|
|
22
22
|
|
|
@@ -14,10 +14,10 @@ import { SarifModel } from '../types'
|
|
|
14
14
|
* grype-results-02.sarif
|
|
15
15
|
* Warning: 1, Note: 20
|
|
16
16
|
* ```
|
|
17
|
-
* @internal
|
|
18
17
|
* It is an abstract class, so the only question that derived classes should
|
|
19
18
|
* "answer" is what property should be used in the compact representation, such
|
|
20
19
|
* as "level" and "severity".
|
|
20
|
+
* @internal
|
|
21
21
|
*/
|
|
22
22
|
export default abstract class CompactGroupBySarifRepresentation extends CompactGroupByRepresentation {
|
|
23
23
|
|
|
@@ -13,10 +13,10 @@ import { SarifModel } from '../types'
|
|
|
13
13
|
* Trivy
|
|
14
14
|
* Warning: 1, Note: 20
|
|
15
15
|
* ```
|
|
16
|
-
* @internal
|
|
17
16
|
* It is an abstract class, so the only question that derived classes should
|
|
18
17
|
* "answer" is what property should be used in the compact representation, such
|
|
19
18
|
* as "level" and "severity".
|
|
19
|
+
* @internal
|
|
20
20
|
*/
|
|
21
21
|
export default abstract class CompactGroupByToolNameRepresentation extends CompactGroupByRepresentation {
|
|
22
22
|
|
|
@@ -10,10 +10,10 @@ import Finding from '../model/Finding'
|
|
|
10
10
|
* Total
|
|
11
11
|
* Warning: 1, Note: 20
|
|
12
12
|
* ```
|
|
13
|
-
* @internal
|
|
14
13
|
* It is an abstract class, so the only question that derived classes should
|
|
15
14
|
* "answer" is what property should be used in the compact representation, such
|
|
16
15
|
* as "level" and "severity".
|
|
16
|
+
* @internal
|
|
17
17
|
*/
|
|
18
18
|
export default abstract class CompactTotalRepresentation extends CompactGroupByRepresentation {
|
|
19
19
|
|
|
@@ -4178,12 +4178,12 @@
|
|
|
4178
4178
|
"GHSA-f5x3-32g6-xq36"
|
|
4179
4179
|
],
|
|
4180
4180
|
"fullDescription": {
|
|
4181
|
-
"markdown": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4182
|
-
"text": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4181
|
+
"markdown": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago",
|
|
4182
|
+
"text": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago"
|
|
4183
4183
|
},
|
|
4184
4184
|
"help": {
|
|
4185
|
-
"markdown": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4186
|
-
"text": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4185
|
+
"markdown": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\u003e \n\u003e ## Impact\n\u003e \n\u003e Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\u003e \n\u003e ## Report resources\n\u003e [payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n\u003e [archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\u003e \n\u003e ## Note\n\u003e This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/javascript/yarn/yarn.lock | tar | 4.4.10 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-f5x3-32g6-xq36 | node-tar | 6.2.1 |\n| GHSA-f5x3-32g6-xq36 | tar | 6.2.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/javascript/yarn/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-28863\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
|
|
4186
|
+
"text": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\u003e \n\u003e ## Impact\n\u003e \n\u003e Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\u003e \n\u003e ## Report resources\n\u003e [payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n\u003e [archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\u003e \n\u003e ## Note\n\u003e This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/javascript/yarn/yarn.lock | tar | 4.4.10 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-f5x3-32g6-xq36 | node-tar | 6.2.1 |\n| GHSA-f5x3-32g6-xq36 | tar | 6.2.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/javascript/yarn/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-28863\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
|
|
4187
4187
|
},
|
|
4188
4188
|
"id": "CVE-2024-28863",
|
|
4189
4189
|
"name": "CVE-2024-28863",
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
2
|
Color,
|
|
3
3
|
LogLevel,
|
|
4
|
-
RepresentationType,
|
|
4
|
+
RepresentationType, SarifFileExtension,
|
|
5
5
|
SarifToSlackClient,
|
|
6
6
|
SendIf
|
|
7
7
|
} from '../../src'
|
|
@@ -31,6 +31,15 @@ describe('(integration): SendSarifToSlack', (): void => {
|
|
|
31
31
|
}
|
|
32
32
|
}
|
|
33
33
|
|
|
34
|
+
function processSarifExtension(extension: string): SarifFileExtension {
|
|
35
|
+
const allowed: string[] = ['sarif', 'json']
|
|
36
|
+
if (allowed.includes(extension)) {
|
|
37
|
+
return extension as SarifFileExtension
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
throw new Error(`Unknown extension: ${extension}`)
|
|
41
|
+
}
|
|
42
|
+
|
|
34
43
|
function processRepresentationType(representation?: string): RepresentationType | undefined {
|
|
35
44
|
if (representation == null) {
|
|
36
45
|
return undefined
|
|
@@ -99,6 +108,7 @@ describe('(integration): SendSarifToSlack', (): void => {
|
|
|
99
108
|
iconUrl: process.env.SARIF_TO_SLACK_ICON_URL,
|
|
100
109
|
color: {
|
|
101
110
|
default: new Color(process.env.SARIF_TO_SLACK_COLOR),
|
|
111
|
+
empty: new Color(process.env.SARIF_TO_SLACK_COLOR_EMPTY),
|
|
102
112
|
byLevel: {
|
|
103
113
|
error: new Color(process.env.SARIF_TO_SLACK_COLOR_ERROR),
|
|
104
114
|
warning: new Color(process.env.SARIF_TO_SLACK_COLOR_WARNING),
|
|
@@ -114,15 +124,22 @@ describe('(integration): SendSarifToSlack', (): void => {
|
|
|
114
124
|
none: new Color(process.env.SARIF_TO_SLACK_COLOR_NONE),
|
|
115
125
|
unknown: new Color(process.env.SARIF_TO_SLACK_COLOR_UNKNOWN),
|
|
116
126
|
},
|
|
117
|
-
empty: new Color(process.env.SARIF_TO_SLACK_COLOR_EMPTY),
|
|
118
127
|
},
|
|
119
128
|
sarif: {
|
|
120
129
|
path: process.env.SARIF_TO_SLACK_SARIF_PATH as string,
|
|
121
|
-
recursive:
|
|
122
|
-
|
|
130
|
+
recursive: process.env.SARIF_TO_SLACK_SARIF_PATH_RECURSIVE
|
|
131
|
+
? Boolean(process.env.SARIF_TO_SLACK_SARIF_PATH_RECURSIVE)
|
|
132
|
+
: false,
|
|
133
|
+
extension: process.env.SARIF_TO_SLACK_SARIF_FILE_EXTENSION
|
|
134
|
+
? processSarifExtension(process.env.SARIF_TO_SLACK_SARIF_FILE_EXTENSION)
|
|
135
|
+
: 'sarif',
|
|
123
136
|
},
|
|
124
137
|
log: {
|
|
125
138
|
level: processLogLevel(process.env.SARIF_TO_SLACK_LOG_LEVEL),
|
|
139
|
+
template: process.env.SARIF_TO_SLACK_LOG_TEMPLATE,
|
|
140
|
+
colored: process.env.SARIF_TO_SLACK_LOG_COLORED
|
|
141
|
+
? Boolean(process.env.SARIF_TO_SLACK_LOG_COLORED)
|
|
142
|
+
: true,
|
|
126
143
|
},
|
|
127
144
|
header: {
|
|
128
145
|
include: process.env.SARIF_TO_SLACK_HEADER !== 'skip',
|