Bug: https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0

[anuragpathak2608]

Vulnerability URL
https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0

https://ossindex.sonatype.org/component/pkg:npm/mysql@2.18.1

**Description**
The above URL shows there is a 1 Sever issue(CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') with the SQL npm library version 2.18.1.

however, if it is verified from the other resources it seems to be false positive as on official NPM advisories this version is free from any vulnerability.

NPM advisory:
https://www.npmjs.com/advisories/66/versions

[ken-duck]

Sorry for the delay. This should be fixed, and will update sometime tomorrow.

[anuragpathak2608]

@ken-duck , Thanks for your reply.

Is it updated?
I still can not see the updated information.

Anurag

[ken-duck]

Very strange. It seems fine on my internal/dev environment. It looks like it is getting jammed up somewhere in the pipeline. Working on it now...

[ken-duck]

I identified an anomaly in some data in the processing pipeline. I gave it a bit of a manual kick. Hopefully that gets things moving again. I will check again tomorrow and give it more of a kicking if required.

[ken-duck]

Oof. This was a rough one. Long story short there was a corrupt entry that was causing all sorts of havoc. It should be resolved (but I won't be certain until tomorrow, fingers crossed). Meanwhile the entry was removed by hand. If the data is clean tomorrow you will see the vulnerability you linked is gone, but there is a known vulnerability that will show up now (it was being blocked by the aforementioned corrupt entry).

The "new" vulnerability you will see is due to a known problem which has never been resolved: mysqljs/mysql#1828

[anuragpathak2608]

@ken-duck ,
Thanks for the update.

are you saying there is no workaround for this, we need to accept this and live along.?

[ken-duck]

So that's a good question. Here is a better description of our current situation.

You should find the original issue resolved at this point. I do not see any vulnerabilities against this package any more:

https://ossindex.sonatype.org/component/pkg:npm/mysql@2.18.1

whereas you can see the vulnerability against this one: https://ossindex.sonatype.org/component/pkg:npm/mysql@2.0.0-alpha7

The original vulnerability link gives you a 404 at this point.

https://ossindex.sonatype.org/vuln/e27505b2-b0b7-4863-a3f5-8df961db080f?component-type=npm&component-name=mysql&utm_source=dependency-track&utm_medium=integration&utm_content=v3.8.0

The "new" issue is working itself down the pipeline but is not active yet, so we have a few days to think about it. Are you using any particular tool (eg. audit.js) or are you using the API? Some of the tools have an ability to filter vulnerabilities by their UUIDs so you can hide them from your results.

The awkward thing about this vulnerability is it is only against certain use cases, and it looks like there isn't a huge push to fix it.

Do you have any thoughts on how you would like to see it handled?

[ndonewar]

Closing this older issue as the originally reported vulnerability no longer exists, and the component no longer has any vulnerabilities. Please feel free to reopen or create a new issue if needed. Thanks!