Problem with IQ Server vulnerability : sonatype-2020-0067

[turbo-xav]

Hi,

Here is my problem.
I want to install "compodoc" in an internal angular project but one dependencies is blocked by Iq server for this reason :

Sonatype-2020-0067 :
EXPLANATION
The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition.
ROOT CAUSE
static-module-3.0.4.tgzpackage/dist/acorn.js[5.5.0, 5.7.4)
ADVISORIES
Third Party:https://www.npmjs.com/advisories/1488

Is there a solution to fix it in futur version of "static module" ?

Best regards

[Shadowninja33]

Bumping this as it is still an issue my team is facing.

[kaiynX]

i am having this issue as of today as well.

sonatype-2020-0067:
Explanation
The acorn package is vulnerable to Regular Expression Denial of Service (ReDoS). The RegExpValidationState.prototype.at and RegExpValidationState.prototype.nextIndex functions in acorn.js, acorn.mjs, and acorn.es.js process user-supplied input without properly validating UTF-16 surrogate pairs. A remote attacker can exploit this behavior by submitting a crafted UTF-16 encoded string which, when parsed by the application, will result in an infinite loop, ultimately leading to a DoS condition.

Root Cause
static-module-3.0.4.tgzpackage/bench/input.js[5.5.0, 5.7.4)

Advisories
Third Party:https://www.npmjs.com/advisories/1488

[goto-bus-stop]

Root Cause
static-module-3.0.4.tgz package/bench/input.js[5.5.0, 5.7.4)

I'm n'ot sure if I'm reading this right but the bench/input.js file is only used as input for the tests and it is never ever executed. If this file is marked as a "root cause", that is a false positive that you should ignore or flag with your provider.

[goto-bus-stop]

Regardless of anything, you probably aren't using static-module on untrusted input, so even if it's flagging code that is actually running it's still a false positive that you can ignore and that sonatype should stop reporting.

If you are using static-module (or likely brfs) on untrusted input you have bigger problems than this, because there are intentional arbitrary code execution "vulnerabilities" that are essential to the functioning of this package. It is simply not intended to be used that way. It should only be used at build time on your own (i.e. trusted) code.