CVE-2022-37614: Critical Vulnerability in mockery module

[luxaflow]

Please check our current Issues to see if someone already reported this https://github.com/Microsoft/azure-pipelines-task-lib/issues

Environment

azure-pipelines-task-lib version: 4.4.0

Issue Description

These is a critical vulnerability in mfncooper/mocker 2.1.0 module used.

Expected behaviour

No issues when used, but also no critical security CVE's in used in modules

Actual behaviour

Currently critical security CVE in mfncooper/mockery module
https://nvd.nist.gov/vuln/detail/CVE-2022-37614

Steps to reproduce

N/A

Logs

Link to CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-37614

[aleksandrlevochkin]

Hi @luxaflow thank you for reporting this issue, this is currently being worked on.

[maksimu]

any updates on this? Security team of one of our customers is demanding us to upgrade our library with the patched version of mockery.

[joshftb]

@maksimu mockery is only used for testing, so none of its exports will see prod. Also, the task does not use the vulnerable component of that library anyways.

[Vertex-btb]

@joshftb Two weeks ago this was given the 'triage' label and then removed. Your latest response indicates that this vulnerability may not be exploitable, yet the issue remains 'Open.' Please advise if Microsoft is planning to update their references to use the newest version of mockery that is not vulnerable (according to SNYK there are no 'next non-vulnerable versions') or plans to close this issue.

[rajarajan2801]

Team, Any updates on this? If the task doesn't use the vulnerable component, Can you please advise why this issue is not closed? We need to respond back to our Security team about the status of this issue.

[aleksandrlevochkin]

@Vertex-btb, @rajarajan2801 Mockery is indeed used only for testing. This issue is not closed, as we're preparing a replacement, and it's not merged yet.

[JuanDuhalde12]

Hi, any updates on this?. I have a task created and I depends on solve this issue to be able to deploy it. Thanks

[lgmorand]

hi :)
not a single commit on the PR for a full month since the Lilia's work. any idea when we could expect it or what is blocking because all checks seem OK ? thanks <3

[jessehouwing]

Compatibility checks with the existing tasks in the azure-pipelines-tasks and introduction of the node20 handler and other priorities. Merging this pull request has consequences beyond this library.

[lgmorand]

thanks Jesse! Le sam. 16 sept. 2023 à 11:45, Jesse Houwing ***@***.***> a écrit :

…

Compatibility checks with the existing tasks in the azure-pipelines-tasks and introduction of the node20 handler and other priorities. Merging this pull request has consequences beyond this library. — Reply to this email directly, view it on GitHub <#955 (comment)> or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABTRVVZWRHPDF7RGGVJIPK3X2VKIFBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDSNJXGU4DIMBQG6SG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKBTHA3DIOJSHE2IFJDUPFYGLJLJONZXKZNFOZQWY5LFVIYTQMBZHEZTKNJRGWBKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGI4TKNZVHA2DAMBXU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

[github-actions]

This issue has had no activity in 90 days. Please comment if it is not actually stale

[lgmorand]

not stale :)

[PratMoha]

Any update on this issue?
Waiting for the fix for quite some time now. It is becoming critical to us as we're unable to upgrade our packages to a higher version as the security check fails for azure-pipelines-task-lib.

[jessehouwing]

As far as I can tell, this has merged:
01d398f

[PratMoha]

Thanks jesse.

[github-actions]

This issue has had no activity in 90 days. Please comment if it is not actually stale