OWASP Dependency Check flagged RetireJS vulnerability pkg:javascript/DOMPurify@2.0.7
in swagger-ui-bundle.js
provided by springfox-swagger-ui-3.0.0.jar
#4026
Labels
Please take the time to search the repository, if your question has already been asked or answered.
springfox-swagger-ui-3.0.0.jar
What kind of issue is this?
Running the OWASP Dependency Check on a project that has
springfox-swagger-ui-3.0.0.jar
as one of its dependencies yields the following flagged vulnerability:Apparently, this is a "RetireJS" vulnerability, and it lacks both a CPE pattern and a CVE number. But the mentioned DOMPurify fixes do imply some kind of XSS vulnerability.
Is it possible to release a new version of
springfox-swagger-ui
that mitigates this? Or is there a good argument to be made for considering this a false positive? Thanks.The text was updated successfully, but these errors were encountered: