[Bug]: False Positive Vulnerability Detection in jQuery 3.7.1 #6456
Description
Is there an existing issue for this?
- I have searched the existing issues
What happened?
A vulnerability scanner flagged the \Resources\Libraries\jQuery\03_07_01\jquery.js file, even though it is jQuery v3.7.1, which doesn't have any known security vulnerabilities. The OWASP ZAP scan reported the library as vulnerable, citing CVE-2011-4969 and CVE-2012-6708 for jquery version 03_07_01. This suggests that the scanner misinterpreted the version as an older, vulnerable version. While the outdated .min.map files could also be contributing to this issue, the misinterpretation of the version appears to be the more likely cause of the false positive.
Steps to reproduce?
- Run a vulnerability scan on an installed DNN platform using OWASP ZAP
- It should identify the library \Resources\Libraries\jQuery\03_07_01\jquery.j as vulnerable and references CVE-2011-4969 and CVE-2012-6708.
Current Behavior
The vulnerability scanner incorrectly flags the jQuery 3.7.1 file (\Resources\Libraries\jQuery\03_07_01\jquery.js) as containing a security vulnerability, even though the actual version in use is secure. The misidentification seems to stem from the scanner interpreting the version as an older, vulnerable version. OWASP ZAP also incorrectly identifies the library as vulnerable, referencing CVE-2011-4969 and CVE-2012-6708 for a version mismatch. The outdated .min.map files that reference older jQuery versions (3.5.1 and 3.4.1) could potentially be contributing to this misinterpretation.
Expected Behavior
The vulnerability scanner should correctly identify jQuery v3.7.1 and not flag it as vulnerable. It should accurately determine the version from the actual .js file and avoid referencing CVEs related to older versions. The scan results from OWASP ZAP should reflect the correct version without mistakenly flagging known vulnerabilities for earlier jQuery releases. Outdated .min.map files should not cause version misinterpretations.
Relevant log output
Anything else?
I am proposing attempting a fix by:
renaming the version to not use leading zeros in https://github.com/trilogy-group/Evoq.Dnn.Platform/blob/develop/DNN%20Platform/JavaScript%20Libraries/jQuery/jQuery.dnn to change the output path from \Resources\Libraries\jQuery\03_07_01\jquery.js to potentially \Resources\Libraries\jQuery\3_7_1\jquery.js
or/and
updating the min.map files at:
- https://github.com/dnnsoftware/Dnn.Platform/blob/develop/DNN%20Platform/Website/jquery.min.map
- https://github.com/dnnsoftware/Dnn.Platform/blob/develop/DNN%20Platform/JavaScript%20Libraries/jQuery/jquery.min.map
- https://github.com/dnnsoftware/Dnn.Platform/blob/develop/DNN%20Platform/Website/Resources/Shared/scripts/jquery/jquery.min.map
Affected Versions
9.13.8 (latest release)
What browsers are you seeing the problem on?
No response
Code of Conduct
- I agree to follow this project's Code of Conduct