False positive Vulnerability/RetireJs finding
40 views
Skip to first unread message
Manuel
Dec 17, 2024, 10:25:16 AM12/17/24
to ZAP Developer Group
We use react-dom in version 18.3.1 in our project.
The zap-baseline scan flags this library in this version as vulernable.
Description: "The identified library react-dom, version 18.3. is vulnerable."
Evidence: version:"18.3.1",rendererPackageName:"react-dom"
https://www.zaproxy.org/docs/alerts/10003/
However when we execute retirejs on the same repository (using npx retirejs) it doenst find any finding and there are no known CVE's in that version of this library.
Also in the retirejs cve repository there seems to be no entry for react-dom 18.3.1 see https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository-v4.json
We use the Github Action Scan (https://github.com/zaproxy/action-baseline), which uses docker image: ghcr.io/zaproxy/zaproxy:stable and the zap-baseline.py script under the hood.
It would be great if you can have a look at it what could be the possible cause for this.
Thank you very much!
The zap-baseline scan flags this library in this version as vulernable.
Description: "The identified library react-dom, version 18.3. is vulnerable."
Evidence: version:"18.3.1",rendererPackageName:"react-dom"
https://www.zaproxy.org/docs/alerts/10003/
However when we execute retirejs on the same repository (using npx retirejs) it doenst find any finding and there are no known CVE's in that version of this library.
Also in the retirejs cve repository there seems to be no entry for react-dom 18.3.1 see https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository-v4.json
We use the Github Action Scan (https://github.com/zaproxy/action-baseline), which uses docker image: ghcr.io/zaproxy/zaproxy:stable and the zap-baseline.py script under the hood.
It would be great if you can have a look at it what could be the possible cause for this.
Thank you very much!
psiinon
Dec 17, 2024, 10:52:02 AM12/17/24
to ZAP Developer Group
This group is for ZAP development not for ZAP support.
Please use either the ZAP User Group: https://groups.google.com/group/zaproxy-users
or follow https://www.zaproxy.org/faq/how-do-i-handle-a-false-positive/ and raise an issue.
FYI ZAP uses Retire.js https://retirejs.github.io/retire.js/
If you search for react-dom on that page you'll see there are only CVEs for 16.* so yes, this does look like a false positive.
So in this case a new false positive issue would be appreciated :)
The text around the evidence reported would nbe very useful in this case.
Cheers,
Simon
kingthorin+zap
Dec 18, 2024, 9:06:24 AM12/18/24
to ZAP Developer Group
I have confirmed that there was an issue resulting in False Positives. A fix will be coming shortly.
Rick
Manuel
Dec 18, 2024, 1:40:42 PM12/18/24
to ZAP Developer Group
@Simon first off sorry, I came from the zap-extension repo https://github.com/zaproxy/zap-extensions (the alert https://www.zaproxy.org/docs/alerts/10003/ pointed to https://github.com/zaproxy/zap-extensions/blob/main/addOns/retire/src/main/java/org/zaproxy/addon/retire/RetireScanRule.java) and there I wasnt able to open up any issue and in the contribution guidelines I only found this email group. Looking back at it, I could have come to the conclusion to open up an issue at the base repo instead... my bad 🙈 Thank you for pointing me into the right direction!
@Rick thank you for looking into it, allthough it was posted in the wrong location 😅. Thanks for fixing it!
@Rick thank you for looking into it, allthough it was posted in the wrong location 😅. Thanks for fixing it!
psiinon
Dec 19, 2024, 4:49:43 AM12/19/24
to ZAP Developer Group
No problem - its not always easy to work out where underlying issues are located :)
Thanks for reporting it!
Reply all
Reply to author
Forward
0 new messages