Moderate Vulnerability in sonarqube-scanner > download > got

[dtomasbar]

While installing sonarqube-scanner npm reveled the following vulnerability:

Moderate: Got allows a redirect to a UNIX socket
Package: got
Patched in: >=11.8.5
Dependency of: sonarqube-scanner [dev]
Path: sonarqube-scanner > download > got
More info: GHSA-pfrx-2q88-qq97

Reviewing download issues they haven't yet patched their package, but already have and open issue.

However, sonnarqube-scanner is not using the latest version of download library (v8.0.0) so it may be worth it to check compatibility with the current version of downalod to ensure that there are no issues

[francesco38]

Same issue here.
When forcing got version to be 11.8.5, execution of sonarqube-scanner fails with

/usr/local/ado-agent/_work/95/s/node_modules/got/dist/source/create.js:121
                throw error;
                ^

TypeError: Expected the `options.agent` properties to be `http`, `https` or `http2`, got `options`
    at normalizeArguments (/usr/local/ado-agent/_work/95/s/node_modules/got/dist/source/core/index.js:685:27)
    at got (/usr/local/ado-agent/_work/95/s/node_modules/got/dist/source/create.js:112:39)
    at Function.got.stream (/usr/local/ado-agent/_work/95/s/node_modules/got/dist/source/create.js:221:37)
    at module.exports (/usr/local/ado-agent/_work/95/s/node_modules/download/index.js:78:21)
    at getSonarScannerExecutable (/usr/local/ado-agent/_work/95/s/node_modules/sonarqube-scanner/dist/sonar-scanner-executable.js:104:3)
    at scanCLI (/usr/local/ado-agent/_work/95/s/node_modules/sonarqube-scanner/dist/index.js:31:3)
    at scan (/usr/local/ado-agent/_work/95/s/node_modules/sonarqube-scanner/dist/index.js:18:3)
    at Object.<anonymous> (/usr/local/ado-agent/_work/95/s/sonarqube.scanner.js:10:1)
    at Module._compile (internal/modules/cjs/loader.js:1072:14)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1101:10)

[tovbinm]

+1 please fix

[Ixtalo]

+1 confirm

[angelosanramon]

I'm getting the same issue.

[tamara-h]

+1 affecting our applications

[ZergRushJoe]

+1

[wbt]

As OP @dtomasbar mentioned, the latest version of the download package doesn't have this fixed, which (for future reference of commenters above) you can verify by checking its package.json. Therefore, just trying out the latest version of that won't fix the issue.

The open issue to upgrade that dependency is here, but likely won't be acted on with that package lacking any active maintainers.

If Sonar has funding for its offerings, I'd recommend picking from this list:

1. Funding the maintainer of the dependency
2. Taking over management of the dependency via a fork
3. Replacing the dependency with a different one
4. Fund/convince the maintainers of got to backport their fix to the v8 line, where it can be picked up by the download package

Having a persistent transitive vulnerability in a product aimed at organizations who are especially picky about eliminating potential issues from their code base is not a good look.

[cami-dev]

+1 we have the same issues on all our apps +10

[drodil]

+1

[gabssnake]

This was fixed with 2.8.2 release, see:
https://github.com/bellingard/sonar-scanner-npm/releases/tag/2.8.2