GitHub issue versioning with probot
License: GNU General Public License v3.0
GitHub issue versioning with probot. Historic versions come in as a comment, but default these are diffs, however by including VERSION_TYPE_PLAIN anywhere in the Issue description, it will be plain textgi
Using make commands.
make install
make run
Before deploy make sure you have setup:
aws cli with credentialsenvarThen WEBHOOK_SECRET=<your-github-secret-key> make deploy
Vulnerable Library - fstream-1.0.11.tgzAdvanced file system stream things
Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.
Publish Date: 2019-05-23
URL: WS-2019-0100
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/886
Release Date: 2019-05-23
Fix Resolution: 1.0.12
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tough-cookie-2.3.2.tgzRFC6265 Cookies and Cookie Jar for node.js
Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.
Publish Date: 2017-10-04
URL: CVE-2017-15010
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010
Release Date: 2017-10-04
Fix Resolution: 2.3.3
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - moment-2.18.1.tgzParse, validate, manipulate, and display dates
Library home page: https://registry.npmjs.org/moment/-/moment-2.18.1.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/moment/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.
Publish Date: 2018-03-04
URL: CVE-2017-18214
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/532
Release Date: 2017-11-27
Fix Resolution: Update to version 2.19.3
Step up your Open Source Security Game with WhiteSource here
this is great!
line 1
line 3
different code
more code in the code block
An HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).
Publish Date: 2018-06-07
URL: CVE-2018-3739
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3739
Release Date: 2018-06-07
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - stringstream-0.0.5.tgzEncode and decode streams into string streams
Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.
Publish Date: 2018-05-16
URL: WS-2018-0103
CVSS 2 Score Details (5.2)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/664/versions
Release Date: 2019-06-05
Fix Resolution: 0.0.6,1.0.0
Step up your Open Source Security Game with WhiteSource here
testing version type
line 1
line 2
line 3
line 4
VERSION_TYPE_PLAIN
As a (user or system)
I want to (perform some interaction)
So that (business value)
Scenario: A description of some determinable system or business situation
Given there is some precondition
And some other precondition
When there is an action performed by an actor
And some other action occurs
Then there is a testable outcome achieved
And something else that can be checked happens too
Vulnerable Library - lodash-4.17.4.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Release Date: 2018-06-07
Fix Resolution: 4.17.5
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - https-proxy-agent-1.0.0.tgzAn HTTP(s) proxy `http.Agent` implementation for HTTPS
Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-1.0.0.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/https-proxy-agent/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Versions of https-proxy-agent before 2.2.0 are vulnerable to a denial of service. This is due to unsanitized options (proxy.auth) being passed to Buffer().
Publish Date: 2018-04-25
URL: WS-2018-0072
CVSS 2 Score Details (8.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/593
Release Date: 2018-01-27
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - base64url-2.0.0.tgzFor encoding to/from base64urls
Library home page: https://registry.npmjs.org/base64url/-/base64url-2.0.0.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/base64url/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Versions of base64url before 3.0.0 are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below.
Publish Date: 2018-05-16
URL: WS-2018-0096
CVSS 2 Score Details (7.1)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/321687
Release Date: 2019-01-24
Fix Resolution: 3.0.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - tar-2.2.1.tgztar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here
line 1
line 2
line 3
test
Vulnerable Library - hoek-2.16.3.tgzGeneral purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/hoek/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728
Release Date: 2018-03-30
Fix Resolution: 4.2.1,5.0.3
Step up your Open Source Security Game with WhiteSource here
testing dashboardhub issue versioning bot.
italics to inline code block
edit line again
Vulnerable Library - sshpk-1.13.0.tgzA library for finding and using SSH public keys
Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Publish Date: 2018-04-25
URL: WS-2018-0084
CVSS 2 Score Details (8.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/606
Release Date: 2018-01-27
Fix Resolution: 1.14.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - extend-3.0.1.tgzPort of jQuery.extend for node.js and the browser
Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/extend/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16492
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/381185
Release Date: 2019-02-01
Fix Resolution: v3.0.2,v2.0.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-4.17.4.tgzLodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - debug-2.6.8.tgzsmall debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: debug-js/debug@42a6ae0
Release Date: 2017-09-21
Fix Resolution: Replace or update the following file: node.js
Step up your Open Source Security Game with WhiteSource here
line 1
line 2
line 3
line 4
Vulnerable Library - braces-1.8.5.tgzFastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2019-03-25
URL: WS-2019-0019
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/786
Release Date: 2019-02-21
Fix Resolution: 2.3.1
Step up your Open Source Security Game with WhiteSource here
Default should be diff but can make it plain
line 1
line 3
line 4
line 5
line 6
VERSION_TYPE_PLAIN
Vulnerable Library - deep-extend-0.4.2.tgzRecursive object extending
Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.
Publish Date: 2018-07-03
URL: CVE-2018-3750
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: RetireJS/retire.js@6a71696
Release Date: 2018-05-09
Fix Resolution: Replace or update the following file: npmrepository.json
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
Release Date: 2019-04-08
Fix Resolution: 4.1.2
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - randomatic-1.1.7.tgzGenerate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.
Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz
Path to dependency file: /probot-issue-versioning/package.json
Path to vulnerable library: /tmp/git/probot-issue-versioning/node_modules/randomatic/package.json
Dependency Hierarchy:
Found in HEAD commit: 401f73579c289637e10b6a10cb44727b52b03e1b
Vulnerability Details
react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).
Publish Date: 2018-06-04
URL: CVE-2017-16028
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/157
Release Date: 2017-04-14
Fix Resolution: Update to version 3.0.0 or later.
Step up your Open Source Security Game with WhiteSource here
npm WARN Invalid name: "dashboardhub/probot-issue-versioning"
npm WARN probot-issue-versioning No description
npm WARN probot-issue-versioning No repository field.
npm WARN probot-issue-versioning No README data
npm WARN probot-issue-versioning No license field.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.