Vulnerability Patch #2992

New Issue

bsaracalign · 2023-09-19T19:19:32Z

bsaracalign commented

2023-09-19 19:19:32 +00:00

Hello,

Snyk is finding Medium Severity warning for XLSX package for the latest version "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz", mentioned here https://docs.sheetjs.com/docs/getting-started/installation/nodejs/#legacy-endpoints

Do you plan to have an update to address this vulnerability?

Hello, Snyk is finding Medium Severity warning for XLSX package for the latest version `"xlsx": "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz",` mentioned here https://docs.sheetjs.com/docs/getting-started/installation/nodejs/#legacy-endpoints Do you plan to have an update to address this vulnerability? ![image](/attachments/567fb1ff-d891-4d99-9144-92a461dbd178)

image.png

22 KiB

sheetjs commented

2023-09-19 19:30:37 +00:00

This is believed to be a bug in Snyk processing. See #2986 for more details.

tl;dr: there is a "Product Status" field in the CVE report. Snyk uses that field to calculate affected versions. The MITRE corporation (who runs cve.org), as a matter of policy, does not use that field.

If you have a support plan with them, please reach out to Snyk support and direct them to this issue or ask them to reach out to security@sheetjs.com

@stof out of curiosity, was Snyk the "auditing tool" that was expecting the "affected versions" field?

This is believed to be a bug in Snyk processing. See https://git.sheetjs.com/sheetjs/sheetjs/issues/2986 for more details. tl;dr: there is a "Product Status" field in the CVE report. Snyk uses that field to calculate affected versions. The MITRE corporation (who runs cve.org), as a matter of policy, does not use that field. If you have a support plan with them, please reach out to Snyk support and direct them to this issue or ask them to reach out to security@sheetjs.com @stof out of curiosity, was Snyk the "auditing tool" that was expecting the "affected versions" field?

sheetjs commented

2023-09-19 19:58:06 +00:00

The Note in the Snyk page clearly states:

The issue resolved in version 0.19.3 of SheetJS

It would seem that Snyk flagging version 0.20.0 is a bug in Snyk. A teammate reached out to Snyk support to get the issue resolved.

Until Snyk fixes the bug, there is a way to ignore specific vulnerabilities :

snyk ignore –id=SNYK-JS-XLSX-5457926

The Note in the Snyk page clearly states: > The issue resolved in version 0.19.3 of SheetJS ![The issue resolved in version 0.19.3 of SheetJS](/attachments/59e755b4-bf15-42c6-ae1a-c4c1b2f5b390) It would seem that Snyk flagging version 0.20.0 is a bug in Snyk. A teammate reached out to Snyk support to get the issue resolved. Until Snyk fixes the bug, there is a way [to ignore specific vulnerabilities](https://snyk.io/blog/ignoring-vulnerabilities-with-snyk/) : ```bash snyk ignore –id=SNYK-JS-XLSX-5457926 ```

snyk-note.png

18 KiB

sheetjs closed this issue

2023-09-19 19:58:06 +00:00

sheetjs referenced this issue

2023-09-20 08:27:55 +00:00

Vulnerability Patch #2985

Sign in to join this conversation.