Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Do you plan to upgrade JQuery in a future ProGet release?
-
Re: XSS vulnerability on JQuery < 3.5.0 - ProGet 5.3.4
Please verify if you will or will not upgrade JQuery to a more recent version.
If not, is it possible to manually update JQuery myself? If so, please provide steps.
-
As I mentioned, our usage of this library is minimal, and we do not use it in a manner that would impact product security (i.e. "passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others). So please consider this a "false positive".
The only benefit to our customers/users is to appease security teams that don't really understand how security or vulnerabilities work
However, that's actually a benefit in and of itself -- can you let me know what security scanner you use? What security processes are being used such that a security team is even looking at third-party vendor tools like ours? How do they learn or understand "false positives", etc? Understanding that would help us.
What I don't want to do is play the game of "introduce new bugs/glitches by constantly upgrading javascript libraries just to appease clueless security teams" -- so learning how they scan would really help me decide.
Thanks!
-
@rbenfield_1885 hello just as an update, we make it so that automated scanners don't complain about this version in upcoming versions of ProGet (no ETA)
-
Sorry to drag this older topic back up, however we do have to appease security teams.
- I believe as forum admin you can see my email address, happy if you reach out to discuss this further privately with me about the exact whys for my environment..
This same JQuery vulnerability was also previously reported on BuildMaster v7.
http://buildmaster:8622/resources/InedoLib/jquery-1.11.3.min.jsAnd I note that the same library is still in use in v2023, its just been renamed;
http://buildmaster:8622/resources/InedoLib/jquery.min.jsThis was picked up by nessus on BuildMaster v7;
Thanks,
Paul
-
@paul_6112 said in Do you plan to upgrade JQuery in a future ProGet release?:
This was picked up by nessus on BuildMaster v7
Lol wow - that's ridiculous
As I mentioned before, it's a forked library thus not vulnerable. So I suppose you can continue reporting it as a "false positive" to whoever seems to care, and perhaps we'll also just edit the version number out to appease that the security tool