topic Suggestions on how we can upgrade the jquery version in this minified js file? in Splunk Dev

Suggestions on how we can upgrade the jquery version in this minified js file?

teamdruva — Wed, 09 Feb 2022 19:55:50 GMT

Hi Experts,

We performed "check_for_vulnerable_javascript_library_usage" check for our add-on app. As per report we need to upgrade jquery version.

We have one common.js file which is minified js and located in following directory - appserver/static/js/build/common.js

Could you please suggest how can we upgrade the jquery version in this minified js file?

I went through article - https://dev.splunk.com/enterprise/docs/developapps/visualizedata/updatejquery/?_ga=2.112247757.872217667.1643345201-285550.1643345200 but the steps mentioned here aren't applicable in my case. I am add-on app's tgz file and need to update the jquery version.

Appreciate any inputs on this.

Best regards,

Saurabh

Update jquery version

teamdruva — Sat, 29 Jan 2022 04:05:12 GMT

@diogofgm could you please help here. Appreciate your inputs.

Re: Update jquery version

diogofgm — Mon, 31 Jan 2022 12:24:42 GMT

Is there any information on the results of the app inspect? I believe it should point to where should the problem be.

Re: Update jquery version

teamdruva — Mon, 31 Jan 2022 17:03:48 GMT

Thanks for your response. Initially I got following error:

{ "result": "warning", "message": "3rd party CORS request may execute\nparseHTML() executes scripts in event handlers\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nreDOS - regular expression denial of service\n", "message_filename": "/opt/app7hugi7qy/TA-druva/appserver/static/js/build/common.js", "message_line": null }

This is related to upgrade of JQuery version to 3.5.0.

Since I had minified javascript (path - appserver/static/js/build/common.js), I couldn't find jquery version import anywhere but I found "contrib/jquery-2.1.0" in this file and replaced it with "contrib/jquery-3.5.0".

After running AppInspect on the updated app, getting following warning:

{ "description": "Checks related to JavaScript usage.", "name": "check_javascript_usage", "checks": [ { "description": "Detect usage of JavaScript libraries with known vulnerabilities.", "name": "check_for_vulnerable_javascript_library_usage", "tags": [ "cloud", "future", "jquery", "security" ], "result": "warning", "messages": [ { "result": "warning", "message": "reDOS - regular expression denial of service\n", "message_filename": "/opt/appdlobc8sm/TA-druva/appserver/static/js/build/common.js", "message_line": null } ] } ] }

Usually the error "reDOS - regular expression denial of service” in jQuery is related to jQuery-validation library but we aren’t using any such library. Is it fine to submit the app with this warning?

If not, kindly suggest how to fix this issue.

Re: Update jquery version

sloshburch — Thu, 03 Feb 2022 11:53:43 GMT

Cross posting with How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?which sounds like the same question. I'm also hunting for some SMEs who can help.

Re: Update jquery version

doc_holiday — Thu, 03 Feb 2022 18:12:47 GMT

@teamdruva I talked to the cloud vetting folks. As it's a 'warning' go ahead and submit the app. They know it's coming and will give it a look as part of their manual review process.

Re: Update jquery version

doc_holiday — Thu, 03 Feb 2022 18:13:50 GMT

XPOST from How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?

@teamdruva I talked to the cloud vetting folks. As it's a 'warning' go ahead and submit the app. They know it's coming and will give it a look as part of their manual review process.

Re: Update jquery version

sloshburch — Wed, 09 Feb 2022 14:22:19 GMT

As you can imagine, security related things are hard to get info on. Nonetheless, it was pointed out to me that this is a warning, not a failure, and as such it shouldn't be an impediment to building the app. I'll continue to see if I can get more info on this.

Re: Update jquery version

sloshburch — Mon, 14 Feb 2022 19:15:46 GMT

If the common.js came from the Splunk Add-on Builder then you can ignore it for now. We're investigating false positives from that and we (Splunk) needs to provide a fix to either the check_for_vulnerable_javascript_library_usage or the code that Splunk Add-on Builder adds to your app.

Re: Update jquery version

swati_singh — Fri, 04 Mar 2022 13:24:38 GMT

@diogofgm Do you have a solution for this issue? Our add-on is created by the add-on builder and we get an issue with common.js and Splunk Cloud Support colleagues have rejected the add-on. What should be the next step?

Re: Suggestions on how we can upgrade the jquery version in this minified js file?

jowenssi — Fri, 04 Mar 2022 16:39:55 GMT

Sometimes this is a false-positive from Add-on Builder because it does not prune legacy files on Export. We found that by following this procedure, the Add-on Builder will essentially fix itself by pruning unrequired JS files:

- Export the app from Add-on Builder

- Delete the app from Add-on Builder

- Import the app to Add-on Builder

- Package and download the app from the "Validate & Package" dashboard

This should remove the common.js from the package if it is not relevant.

Re: Suggestions on how we can upgrade the jquery version in this minified js file?

jowenssi — Fri, 04 Mar 2022 16:42:37 GMT

One thing I forgot to note. This appears to be fixed in Add-on Builder version 4.1.0 but you will need to perform the export/import process if you upgrade the app in-place.

Re: Suggestions on how we can upgrade the jquery version in this minified js file?

sloshburch — Fri, 04 Mar 2022 19:34:43 GMT

Nailed it! I tried to write a clear message about the collaboration we did at How to fix AppInspect check_for_vulnerable_javascript_library_usage from Add-on Builder content

Re: Suggestions on how we can upgrade the jquery version in this minified js file?

swati_singh — Sat, 05 Mar 2022 05:53:51 GMT

Upgrading the add-on builder and exporting the add-on from there fixed the issue.