github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/testdata/scanpullrequest/commits.json

github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/testdata/scanpullrequest/commits.json (about)

     1  [
     2    {
     3  	"id": 1487055035,
     4  	"type": null,
     5  	"body": "added 1 commit\n\n\u003cul\u003e\u003cli\u003e99ef9ac7 - merge\u003c/li\u003e\u003c/ul\u003e\n\n[Compare with previous version](/test/multi-example-project/-/merge_requests/1/diffs?diff_id=743652694\u0026start_sha=e2dc35785eec29f35b2aae95d39df2b99db2274e)",
     6  	"attachment": null,
     7  	"author": {
     8  	  "id": 13377328,
     9  	  "username": "test",
    10  	  "name": "Test",
    11  	  "state": "active",
    12  	  "avatar_url": "https://secure.gravatar.com/avatar/005f2d268f06e85fcae3e48c96217dd3?s=80\u0026d=identicon",
    13  	  "web_url": "https://gitlab.com/test"
    14  	},
    15  	"created_at": "2023-07-25T12:28:13.095Z",
    16  	"updated_at": "2023-07-25T12:28:13.097Z",
    17  	"system": true,
    18  	"noteable_id": 218824340,
    19  	"noteable_type": "MergeRequest",
    20  	"project_id": 45341022,
    21  	"resolvable": false,
    22  	"confidential": false,
    23  	"internal": false,
    24  	"noteable_iid": 1,
    25  	"commands_changes": {}
    26    },
    27    {
    28  	"id": 1419499611,
    29  	"type": null,
    30  	"body": "\u003cdetails\u003e\n\u003csummary\u003e\u003ch4\u003elodash 4.17.0\u003ch4\u003e\u003c/summary\u003e\n\n## Vulnerability Details\n\n- **Severity:** 👌 High\n- **Contextual Analysis:** Not Applicable\n- **Package Name:** lodash\n- **Current Version:** 4.17.19\n- **Upgrade to Version:** 4.17.20\n- **CVEs:** CVE-2020-8203\n\n**Description:**\n\n[lodash](https://lodash.com/) is a JavaScript library which provides utility functions for common programming tasks.\n\nJavaScript frontend and Node.js-based backend applications that merge or zip objects using the lodash functions `mergeWith`, `merge` and `zipObjectDeep` are vulnerable to [prototype pollution](https://medium.com/node-modules/what-is-prototype-pollution-and-why-is-it-such-a-big-deal-2dd8d89a93c) if one or more of the objects it receives as arguments are obtained from user input. \nAn attacker controlling this input given to the vulnerable functions can inject properties to JavaScript special objects such as [Object.prototype](https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Objects/Object_prototypes) from which all JavaScript objects inherit properties and methods. Any change on `Object.prototype` properties will then propagate through the prototype chain inheritance to all of the objects in a JavaScript application. This in turn would allow an attacker to add new properties or modify existing properties which will have application specific implications that could lead to DoS (denial of service), authentication bypass, privilege escalation and even RCE (remote code execution) in [some cases](https://youtu.be/LUsiFV3dsK8?t=1152). \nAs an example for privilege escalation, consider a JavaScript application that has a `user` object which has a Boolean property of `user.isAdmin` which is used to decide which actions the user may take. If an attacker can modify or add the `isAdmin` property through prototype pollution, it can escalate the privileges of its own user to those of an admin. \nAs exploitation is usually application specific, successful exploitation is much more likely if an attacker have access to the JavaScript application code. As such, frontend applications are more vulnerable to this vulnerability than Node.js backend applications.\n\n**Remediation:**\n##### Deployment mitigations\n\nAs general guidelines against prototype pollution, first consider not merging objects originating from user input or using a Map structure instead of an object. If merging objects is needed, look into creating objects without a prototype with `Object.create(null)` or into freezing `Object.prototype` with `Object.freeze()`. Finally, it is always best to perform input validation with a a [JSON schema validator](https://github.com/ajv-validator/ajv), which could mitigate this issue entirely in many cases.\n\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch4\u003eprotobufjs 6.11.12\u003ch4\u003e\u003c/summary\u003e\n\n## Vulnerability Details\n\n- **Severity:** 🔥 High\n- **Contextual Analysis:** Applicable\n- **Package Name:** protobufjs\n- **Current Version:** 6.11.2\n- **Upgrade to Version:** 6.11.3\n- **CVEs:** CVE-2022-25878\n\n**Description:**\n\n[Protocol Buffers](https://developers.google.com/protocol-buffers) or \"protobufs\" are a language-neutral, platform-neutral, extensible way of serializing structured data. [protobuf.js](https://www.npmjs.com/package/protobufjs) is a JavaScript library that allows creating and consuming protobufs.\n\nMultiple prototype pollution vulnerabilities were detected in the `protobuf.js` library. Namely these can occur when:\n1. `util.setProperty` receives untrusted input in arguments 2 \u0026 3 -\n```js\nprotobuf.util.setProperty({}, \"__proto__.someprop\", \"somevalue\");\n```\n\n2. `ReflectionObject.setParsedOption` receives untrusted input in arguments 2 \u0026 3\n```js\nlet obj = new protobuf.ReflectionObject(\"Test\")\nobj.setParsedOption({}, \"somevalue\", \"__proto__.someprop\");\n```\n\n3. `parse` receives untrusted input (an untrusted  `.proto` definition) -\n```js\nlet p = `option (foo).__proto__.someprop= \"somevalue\";` \nprotobuf.parse(p)\n```\n\n4. `load` receives an untrusted  `.proto`  file -\n```js\nprotobuf.load(\"/path/to/untrusted.proto\", function(err, root) { ... });\n```\n\n**Remediation:**\n##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.\n\n\n\u003c/details\u003e\n\n---\n[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/vulnerabilitiesBanner.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)\n\n[What is Frogbot?](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)",
    31  	"attachment": null,
    32  	"author": {
    33  	  "id": 13377328,
    34  	  "username": "test",
    35  	  "name": "Test",
    36  	  "state": "active",
    37  	  "avatar_url": "https://secure.gravatar.com/avatar/005f2d268f06e85fcae3e48c96217dd3?s=80\u0026d=identicon",
    38  	  "web_url": "https://gitlab.com/test"
    39  	},
    40  	"created_at": "2023-06-06T08:30:07.783Z",
    41  	"updated_at": "2023-06-06T08:31:11.997Z",
    42  	"system": false,
    43  	"noteable_id": 218824340,
    44  	"noteable_type": "MergeRequest",
    45  	"project_id": 45341022,
    46  	"resolvable": false,
    47  	"confidential": false,
    48  	"internal": false,
    49  	"noteable_iid": 1,
    50  	"commands_changes": {}
    51    },
    52    {
    53  	"id": 1417804152,
    54  	"type": null,
    55  	"body": "## Vulnerability Details\n\n- **Severity:** High\n- **Contextual Analysis:** $\\color{red}{\\textsf{Applicable}}$\n- **Package Name:** protobufjs\n- **Current Version:** 6.11.2\n- **Upgrade to Version:** 6.11.3\n- **CVEs:** CVE-2022-25878\n\n**Summary:**\n\n[Protocol Buffers](https://developers.google.com/protocol-buffers) or \"protobufs\" are a language-neutral, platform-neutral, extensible way of serializing structured data. [protobuf.js](https://www.npmjs.com/package/protobufjs) is a JavaScript library that allows creating and consuming protobufs.\n\nMultiple prototype pollution vulnerabilities were detected in the `protobuf.js` library. Namely these can occur when:\n1. `util.setProperty` receives untrusted input in arguments 2 \u0026 3 -\n```js\nprotobuf.util.setProperty({}, \"__proto__.someprop\", \"somevalue\");\n```\n\n2. `ReflectionObject.setParsedOption` receives untrusted input in arguments 2 \u0026 3\n```js\nlet obj = new protobuf.ReflectionObject(\"Test\")\nobj.setParsedOption({}, \"somevalue\", \"__proto__.someprop\");\n```\n\n3. `parse` receives untrusted input (an untrusted  `.proto` definition) -\n```js\nlet p = `option (foo).__proto__.someprop= \"somevalue\";` \nprotobuf.parse(p)\n```\n\n4. `load` receives an untrusted  `.proto`  file -\n```js\nprotobuf.load(\"/path/to/untrusted.proto\", function(err, root) { ... });\n```\n\n**Remediation:**\n##### Development mitigations\n\nAdd the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.",
    56  	"attachment": null,
    57  	"author": {
    58  	  "id": 13377328,
    59  	  "username": "test",
    60  	  "name": "Test",
    61  	  "state": "active",
    62  	  "avatar_url": "https://secure.gravatar.com/avatar/005f2d268f06e85fcae3e48c96217dd3?s=80\u0026d=identicon",
    63  	  "web_url": "https://gitlab.com/test"
    64  	},
    65  	"created_at": "2023-06-05T07:51:05.607Z",
    66  	"updated_at": "2023-06-11T12:51:06.872Z",
    67  	"system": false,
    68  	"noteable_id": 218824340,
    69  	"noteable_type": "MergeRequest",
    70  	"project_id": 45341022,
    71  	"resolvable": false,
    72  	"confidential": false,
    73  	"internal": false,
    74  	"noteable_iid": 1,
    75  	"commands_changes": {}
    76    }
    77  ]