MMT- 3831: MMT React Vulnerabilities July 2024

[tle1989]

Overview

What is the feature?

MMT React Vulnerabilities Reported by Snyk (high & fixable) on July 18, 2024
CWE-1333: fast-xml-parser
CWE-1333: micromatch

https://app.snyk.io/org/esdis-cumulus-core-gibs-cmr-etc./project/74c1d039-9245-4c53-8786-e8cd1c1713d0

What is the Solution?

Update fast-xml-parser to 4.4.1
Update micromatch to 4.0.6

Will fix these 2 vulnerabilities on this branch MMT-3831

What areas of the application does this impact?

Affect versions of fast-xml-parser, and micromatch packages are vulnerable to Regular Expression Denial of Service (ReDoS)

Testing

Reproduction steps

• Environment for testing: React local Env

BEFORE THE FIX -->Currently there are 28 vul
On branch MMT-3390
Run npm audit

Note that dicer, request, tough-cookie, and elliptic vulnerabilities currently have no fix available

AFTER THE FIX
Pull branch MMT-3831
Run npm audit

No fix available for this one
GHSA-977x-g7h5-7qgw

We currently still have No fix available for dicer, request, tough-cookie vulnerabilities and elliptic; ONLY fast-xml-parser, micromatch to 4.0.6 are being fixed according to the AC of the ticket

Checklist

• I have added automated tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• [x ] My changes generate no new warnings

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.60%. Comparing base (0c84be5) to head (0413a35).
Report is 5 commits behind head on MMT-3390.

Additional details and impacted files

@@            Coverage Diff            @@
##           MMT-3390    #1264   +/-   ##
=========================================
  Coverage     97.59%   97.60%           
=========================================
  Files           358      359    +1     
  Lines          5373     5383   +10     
  Branches       1113     1124   +11     
=========================================
+ Hits           5244     5254   +10     
  Misses          128      128           
  Partials          1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mandyparson]

When I pull MMT-3831 I don't see any changes to the # of vulnerabilites? It's at 22 vulnerabilities (3 moderate, 19 high) before and 22 vulnerabilities (2 moderate, 20 high) after.

[tle1989]

When I pull MMT-3831 I don't see any changes to the # of vulnerabilites? It's at 22 vulnerabilities (3 moderate, 19 high) before and 22 vulnerabilities (2 moderate, 20 high) after.

These vulnerabilities are new after I created the PR; which are not part of the AC; I also just fixed those here too, except those are not fixable.

[mandyparson]

Can you explain why we can't fix the ones that say a fix is available? ie HeaderParser in dicer and Elliptic's EDDSA missing signature length check?

Because pathed versions is None