-
Notifications
You must be signed in to change notification settings - Fork 517
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FAB-8456] Document known vulnerabilties
The vulnerabilities found by the nsp (Node Security Platform) tool are in indirect dependencies and can't currently be fixed until dependent packages are updated; therefore, these vulnerabilities are documented in the release notes. In addition, the synk tool showed a vulnerability in an older version of the restify package which is fixed by upgrading to the latest version of restify. Change-Id: I8e4bc204b96905cf9de246929f893230276381d9 Signed-off-by: Keith Smith <bksmith@us.ibm.com>
- Loading branch information
Showing
2 changed files
with
63 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
v1.1.0 Febuary 22, 2018 | ||
----------------------- | ||
|
||
Release Notes | ||
------------- | ||
|
||
Known Vulnerabilities | ||
--------------------- | ||
|
||
The following vulnerability in the hoek package is an indirect dependency and | ||
can not be resolved until the direct dependencies (grpc and nano) include a | ||
newer version of hoek which fixes this known vulnerability. | ||
|
||
(+) 2 vulnerabilities found | ||
┌────────────┬────────────────────────────────────────────────────────────────────┐ | ||
│ │ Prototype pollution attack │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Name │ hoek │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ CVSS │ 4 (Medium) │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Installed │ 2.16.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Path │ fabric-client@1.1.0-snapshot > grpc@1.9.1 > node-pre-gyp@0.6.39 > │ | ||
│ │ hawk@3.1.3 > hoek@2.16.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ More Info │ https://nodesecurity.io/advisories/566 │ | ||
└────────────┴────────────────────────────────────────────────────────────────────┘ | ||
|
||
┌────────────┬────────────────────────────────────────────────────────────────────┐ | ||
│ │ Prototype pollution attack │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Name │ hoek │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ CVSS │ 4 (Medium) │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Installed │ 2.16.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Vulnerable │ <= 4.2.0 || >= 5.0.0 < 5.0.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Patched │ > 4.2.0 < 5.0.0 || >= 5.0.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ Path │ fabric-client@1.1.0-snapshot > nano@6.4.2 > cloudant-follow@0.13.0 │ | ||
│ │ > request@2.81.0 > hawk@3.1.3 > hoek@2.16.3 │ | ||
├────────────┼────────────────────────────────────────────────────────────────────┤ | ||
│ More Info │ https://nodesecurity.io/advisories/566 │ | ||
└────────────┴────────────────────────────────────────────────────────────────────┘ | ||
|
||
Resolved Vulnerabilities | ||
------------------------ | ||
none | ||
|
||
Known Issues & Workarounds | ||
-------------------------- | ||
none | ||
|
||
Change Log | ||
---------- |