Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability in karate-core 1.4.1 due to old version 4.5.3 bootstrap (twitter) bootstarp.min.js #2588

Open
Saruman000 opened this issue Jul 29, 2024 · 3 comments

Comments

@Saruman000
Copy link

Could you please upgrade bootstrap (twitter) bootstarp.min.js from 4.5.3 to 5.3.3 or later to fix security XSS vulnerability in karate-core 1.4.1 ?

@ptrthomas
Copy link
Member

@Saruman000 this is low priority so you are welcome to submit a PR and the HTML reports will need tweaking. you are not supposed to put karate reports into production and most users don't

@Saruman000
Copy link
Author

Peter,

  1. Thank you!

  2. Latest version of Black Duck SCA security scanner marks bootstrap in karate-core 1.4.1 as SEV-2, which makes it High-Severity finding.

  3. YES, so far majority of consumers of KARATE framework limit its usage only to BDD testing in pre-production, and because of that sometime they can try to descope non-production code from Black Duck security testing and avoid such problem. At the same time some of them use same BDD approach to automate application validation after deployment, which makes karate-core part of production deployment.

Again - thank you for supporting karate framework! it is really great.

@ptrthomas
Copy link
Member

@Saruman000 thanks for the details on Black Duck - even though that doesn't make sense for a testing framework, I agree that resolving this is ideal for any enterprise using Black Duck

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants