github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/testdata/scanpullrequest/expected_response.md

github.com/jfrog/frogbot@v1.1.1-0.20231221090046-821a26f50338/testdata/scanpullrequest/expected_response.md (about)

     1  <div align='center'>
     2  
     3  [![🚨 Frogbot scanned this pull request and found the below:](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
     4  
     5  </div>
     6  
     7  
     8  ## 📦 Vulnerable Dependencies
     9  ### ✍️ Summary
    10  <div align='center'>
    11  
    12  | SEVERITY                | CONTEXTUAL ANALYSIS                  | DIRECT DEPENDENCIES                  | IMPACTED DEPENDENCY                  | FIXED VERSIONS                  | CVES                  |
    13  | :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
    14  | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png)<br>Critical | Not Applicable | minimist:1.2.5 | minimist 1.2.5 | [0.2.4]<br>[1.2.6] | CVE-2021-44906 |
    15  
    16  </div>
    17  
    18  ### 🔬 Research Details
    19  **Description:**
    20  [Minimist](https://github.com/substack/minimist) is a simple and very popular argument parser. It is used by more than 14 million by Mar 2022. This package developers stopped developing it since April 2020 and its community released a [newer version](https://github.com/meszaros-lajos-gyorgy/minimist-lite) supported by the community.
    21  
    22  
    23  An incomplete fix for [CVE-2020-7598](https://nvd.nist.gov/vuln/detail/CVE-2020-7598) partially blocked prototype pollution attacks. Researchers discovered that it does not check for constructor functions which means they can be overridden. This behavior can be triggered easily when using it insecurely (which is the common usage). For example:
    24  ```
    25  var argv = parse(['--_.concat.constructor.prototype.y', '123']);
    26  t.equal((function(){}).foo, undefined);
    27  t.equal(argv.y, undefined);
    28  ```
    29  In this example, `prototype.y`  is assigned with `123` which will be derived to every newly created object. 
    30  
    31  This vulnerability can be triggered when the attacker-controlled input is parsed using Minimist without any validation. As always with prototype pollution, the impact depends on the code that follows the attack, but denial of service is almost always guaranteed.
    32  
    33  **Remediation:**
    34  ##### Development mitigations
    35  
    36  Add the `Object.freeze(Object.prototype);` directive once at the beginning of your main JS source code file (ex. `index.js`), preferably after all your `require` directives. This will prevent any changes to the prototype object, thus completely negating prototype pollution attacks.
    37  
    38  
    39  ---
    40  <div align='center'>
    41  
    42  [🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
    43  
    44  </div>