TYPO3 Core

Lars Tode wrote:

The currently use of package enshrined/svg-sanitize with version constrain ^0.15.4 increase the risk score of TYPO3 projects.

The corresponding CVEs are

• https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2
• https://nvd.nist.gov/vuln/detail/CVE-2023-28426

Even the two mentioned CVEs are false-positive CVEs and should not bothered the project, these have an effect of the risk score.

The package should be updated to a newer version in order to solve this issue.

As of today, the current version available of this package is 0.18.0

Updating to v0.18.0 seems to be fine by looking to the changes at https://github.com/darylldoyle/svg-sanitizer/compare/0.15.4...0.18.0

However, CVE-2023-28426 was rejected - thus, it must not have any negative impact on any "risk score".
Can you please provide a source/link to the service still assessing version 0.15.4 of the svg-sanitizer package as risky? Thanks in advance!

https://github.com/darylldoyle/svg-sanitizer/issues/88 provides more context on the rejected CVE-2023-28426 → v0.15.4 was not vulnerable concerning the mentioned CVE

Trying to reproduce that with DependencyTrack and PURL pkg:composer/enshrined/svg-sanitize@0.15.4 it get

• a vulnerability item with "unassigned severity"
• a reference to https://ossindex.sonatype.org/vulnerability/CVE-2023-28426?component-type=composer&component-name=enshrined%2Fsvg-sanitize&utm_source=dependency-track&utm_medium=integration&utm_content=v4.10.1 with a CVSS score of 5.3 (which is wrong, since the CVE was rejected)
• a risk score of 5 since version 0.15.4 is not the latest version 0.18.0 of the package

Conclusion¶

Watching and being aware of supply chain issues is an important thing - however, it is also important to understand how those results and information is retrieved and to double check the reports instead of relying only on numbers and risk scores.

As mentioned in the ticket description, I am aware that this issue is a false positiv

Even the two mentioned CVEs are false-positive CVEs and should not bothered the project, these have an effect of the risk score.

The package itself should be updated within the TYPO3 core in order to avoid those messages.

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84137

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/84138