Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Got some security issues after scaned by AppScan on Cloud #4288

Closed
1 of 2 tasks
Bin-Xiong opened this issue Oct 10, 2019 · 2 comments · Fixed by #4291
Closed
1 of 2 tasks

Got some security issues after scaned by AppScan on Cloud #4288

Bin-Xiong opened this issue Oct 10, 2019 · 2 comments · Fixed by #4291
Labels
type: bug 🐛

Comments

@Bin-Xiong
Copy link

What package(s) are you using?

  • carbon-components
  • carbon-components-react

Detailed description

Describe in detail the issue you're having.
We used ASoC to scan open source libs we are packaging in our product, some security issues reported by ASoC.
main issues reported:

  • Insecure Use of setAttribute
    图片
  • Insecure HTTP Communication
    图片
  • Query Insecure Manipulation of Child Node
    图片
  • Insecure random number
    图片

Is this issue related to a specific component?
No.
What did you expect to happen? What happened instead? What would you like to
see changed?
No security issue reported by ASoC because we package carbon in our product.
What browser are you working in?
N/A
What version of the Carbon Design System are you using?
10.6
What offering/product do you work on? Any pressing ship or release dates we
should be aware of?
IBM Service Management Unite

Steps to reproduce the issue

  1. Login ASoC: https://cloud.appscan.com
  2. Upload source code
  3. Scan
  4. Download report

Please create a reduced test case in CodeSandbox

Additional information

  • Screenshots or code
  • Notes
asudoh added a commit to asudoh/carbon-components that referenced this issue Oct 10, 2019
@asudoh
fix(ui-shell): change the way to generate unique ID
e2cbd84 
Refs carbon-design-system#4288.
asudoh added a commit to asudoh/carbon-components that referenced this issue Oct 10, 2019
@asudoh
fix(ui-shell): change the way to generate unique ID
b8edbde 
Closes carbon-design-system#4288.
@asudoh asudoh mentioned this issue Oct 10, 2019
Merged
@abbeyhrt
Copy link
Contributor

abbeyhrt commented Oct 10, 2019
edited
Loading

Hi @Bin-Xiong thank you for making this issue! We are not able to independently verify this as the logging into ASoC seems to be broken. Is this a blocking issue for your team and could you provide more context about ASoC?

@asudoh
Copy link
Contributor

asudoh commented Oct 10, 2019

Had a chat with @Bin-Xiong yesterday, we saw that none of them is directly affecting his team, but we agreed that we avoid Math.random() usage for pre-caution.

asudoh added a commit that referenced this issue Oct 11, 2019
@asudoh
fix(ui-shell): change the way to generate unique ID (#4291)
38ce4f6 
Closes #4288.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug 🐛
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ui-shell): change the way to generate unique ID asudoh/carbon-components
3 participants
@asudoh @abbeyhrt @Bin-Xiong