Splunk Dev

Suggestions on how we can upgrade the jquery version in this minified js file?

teamdruva
Explorer

Hi Experts,

We performed "check_for_vulnerable_javascript_library_usage" check for our add-on app. As per report we need to upgrade jquery version.

We have one common.js file which is minified js and located in following directory - appserver/static/js/build/common.js 

Could you please suggest how can we upgrade the jquery version in this minified js file?

I went through article - https://dev.splunk.com/enterprise/docs/developapps/visualizedata/updatejquery/?_ga=2.112247757.87221... but the steps mentioned here aren't applicable in my case. I am add-on app's tgz file and need to update the jquery version.

 

Appreciate any inputs on this.

 

Best regards,

Saurabh

Labels (1)
0 Karma
1 Solution

jowenssi
Path Finder

Sometimes this is a false-positive from Add-on Builder because it does not prune legacy files on Export.  We found that by following this procedure, the Add-on Builder will essentially fix itself by pruning unrequired JS files:

- Export the app from Add-on Builder

- Delete the app from Add-on Builder

- Import the app to Add-on Builder

- Package and download the app from the "Validate & Package" dashboard

 

This should remove the common.js from the package if it is not relevant.

View solution in original post

jowenssi
Path Finder

Sometimes this is a false-positive from Add-on Builder because it does not prune legacy files on Export.  We found that by following this procedure, the Add-on Builder will essentially fix itself by pruning unrequired JS files:

- Export the app from Add-on Builder

- Delete the app from Add-on Builder

- Import the app to Add-on Builder

- Package and download the app from the "Validate & Package" dashboard

 

This should remove the common.js from the package if it is not relevant.

sloshburch
Splunk Employee
Splunk Employee

Nailed it! I tried to write a clear message about the collaboration we did at How to fix AppInspect check_for_vulnerable_javascript_library_usage from Add-on Builder content 

jowenssi
Path Finder

One thing I forgot to note.  This appears to be fixed in Add-on Builder version 4.1.0 but you will need to perform the export/import process if you upgrade the app in-place.

0 Karma

swati_singh
Engager

Upgrading the add-on builder and exporting the add-on from there fixed the issue.

0 Karma

doc_holiday
Splunk Employee
Splunk Employee

 

XPOST from How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?

@teamdruva I talked to the cloud vetting folks. As it's a 'warning' go ahead and submit the app. They know it's coming and will give it a look as part of their manual review process. 

0 Karma

doc_holiday
Splunk Employee
Splunk Employee

@teamdruva I talked to the cloud vetting folks. As it's a 'warning' go ahead and submit the app. They know it's coming and will give it a look as part of their manual review process. 

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Is there any information on the results of the app inspect? I believe it should point to where should the problem be.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

teamdruva
Explorer

Thanks for your response. Initially I got following error:

{
                                    "result": "warning",
                                    "message": "3rd party CORS request may execute\nparseHTML() executes scripts in event handlers\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nreDOS - regular expression denial of service\n",
                                    "message_filename": "/opt/app7hugi7qy/TA-druva/appserver/static/js/build/common.js",
                                    "message_line": null
                                }

This is related to upgrade of JQuery version to 3.5.0.

Since I had minified javascript (path - appserver/static/js/build/common.js), I couldn't find jquery version import anywhere but I found "contrib/jquery-2.1.0" in this file and replaced it with "contrib/jquery-3.5.0".

After running AppInspect on the updated app, getting following warning:

{
                    "description": "Checks related to JavaScript usage.",
                    "name": "check_javascript_usage",
                    "checks": [
                        {
                            "description": "Detect usage of JavaScript libraries with known vulnerabilities.",
                            "name": "check_for_vulnerable_javascript_library_usage",
                            "tags": [
                                "cloud",
                                "future",
                                "jquery",
                                "security"
                            ],
                            "result": "warning",
                            "messages": [
                                {
                                    "result": "warning",
                                    "message": "reDOS - regular expression denial of service\n",
                                    "message_filename": "/opt/appdlobc8sm/TA-druva/appserver/static/js/build/common.js",
                                    "message_line": null
                                }
                            ]
                        }
                    ]
                }

 

Usually the error "reDOS - regular expression denial of service” in jQuery is related to jQuery-validation library but we aren’t using any such library. Is it fine to submit the app with this warning?
If not, kindly suggest how to fix this issue. 
0 Karma

sloshburch
Splunk Employee
Splunk Employee

If the common.js came from the Splunk Add-on Builder then you can ignore it for now. We're investigating false positives from that and we (Splunk) needs to provide a fix to either the check_for_vulnerable_javascript_library_usage or the code that Splunk Add-on Builder adds to your app.

sloshburch
Splunk Employee
Splunk Employee

As you can imagine, security related things are hard to get info on. Nonetheless, it was pointed out to me that this is a warning, not a failure, and as such it shouldn't be an impediment to building the app. I'll continue to see if I can get more info on this.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Cross posting with How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?which sounds like the same question. I'm also hunting for some SMEs who can help.

0 Karma

teamdruva
Explorer

@diogofgm could you please help here. Appreciate your inputs.

0 Karma

swati_singh
Engager

@diogofgm Do you have a solution for this issue? Our add-on is created by the add-on builder and we get an issue with common.js and Splunk Cloud Support colleagues have rejected the add-on. What should be the next step?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...