Hi Experts,
We performed "check_for_vulnerable_javascript_library_usage" check for our add-on app. As per report we need to upgrade jquery version.
We have one common.js file which is minified js and located in following directory - appserver/static/js/build/common.js
Could you please suggest how can we upgrade the jquery version in this minified js file?
I went through article - https://dev.splunk.com/enterprise/docs/developapps/visualizedata/updatejquery/?_ga=2.112247757.87221... but the steps mentioned here aren't applicable in my case. I am add-on app's tgz file and need to update the jquery version.
Appreciate any inputs on this.
Best regards,
Saurabh
Sometimes this is a false-positive from Add-on Builder because it does not prune legacy files on Export. We found that by following this procedure, the Add-on Builder will essentially fix itself by pruning unrequired JS files:
- Export the app from Add-on Builder
- Delete the app from Add-on Builder
- Import the app to Add-on Builder
- Package and download the app from the "Validate & Package" dashboard
This should remove the common.js from the package if it is not relevant.
Sometimes this is a false-positive from Add-on Builder because it does not prune legacy files on Export. We found that by following this procedure, the Add-on Builder will essentially fix itself by pruning unrequired JS files:
- Export the app from Add-on Builder
- Delete the app from Add-on Builder
- Import the app to Add-on Builder
- Package and download the app from the "Validate & Package" dashboard
This should remove the common.js from the package if it is not relevant.
 
					
				
		
Nailed it! I tried to write a clear message about the collaboration we did at How to fix AppInspect check_for_vulnerable_javascript_library_usage from Add-on Builder content
One thing I forgot to note. This appears to be fixed in Add-on Builder version 4.1.0 but you will need to perform the export/import process if you upgrade the app in-place.
Upgrading the add-on builder and exporting the add-on from there fixed the issue.
 
		
		
		
		
		
	
			
		
		
			
					
		
XPOST from How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?
@teamdruva I talked to the cloud vetting folks. As it's a 'warning' go ahead and submit the app. They know it's coming and will give it a look as part of their manual review process.
 
		
		
		
		
		
	
			
		
		
			
					
		@teamdruva I talked to the cloud vetting folks. As it's a 'warning' go ahead and submit the app. They know it's coming and will give it a look as part of their manual review process.
 
		
		
		
		
		
	
			
		
		
			
					
		Is there any information on the results of the app inspect? I believe it should point to where should the problem be.
Thanks for your response. Initially I got following error:
{
                                    "result": "warning",
                                    "message": "3rd party CORS request may execute\nparseHTML() executes scripts in event handlers\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nRegex in its jQuery.htmlPrefilter sometimes may introduce XSS\nreDOS - regular expression denial of service\n",
                                    "message_filename": "/opt/app7hugi7qy/TA-druva/appserver/static/js/build/common.js",
                                    "message_line": null
                                }This is related to upgrade of JQuery version to 3.5.0.
Since I had minified javascript (path - appserver/static/js/build/common.js), I couldn't find jquery version import anywhere but I found "contrib/jquery-2.1.0" in this file and replaced it with "contrib/jquery-3.5.0".
After running AppInspect on the updated app, getting following warning:
{
                    "description": "Checks related to JavaScript usage.",
                    "name": "check_javascript_usage",
                    "checks": [
                        {
                            "description": "Detect usage of JavaScript libraries with known vulnerabilities.",
                            "name": "check_for_vulnerable_javascript_library_usage",
                            "tags": [
                                "cloud",
                                "future",
                                "jquery",
                                "security"
                            ],
                            "result": "warning",
                            "messages": [
                                {
                                    "result": "warning",
                                    "message": "reDOS - regular expression denial of service\n",
                                    "message_filename": "/opt/appdlobc8sm/TA-druva/appserver/static/js/build/common.js",
                                    "message_line": null
                                }
                            ]
                        }
                    ]
                }
 
					
				
		
If the common.js came from the Splunk Add-on Builder then you can ignore it for now. We're investigating false positives from that and we (Splunk) needs to provide a fix to either the check_for_vulnerable_javascript_library_usage or the code that Splunk Add-on Builder adds to your app.
 
					
				
		
As you can imagine, security related things are hard to get info on. Nonetheless, it was pointed out to me that this is a warning, not a failure, and as such it shouldn't be an impediment to building the app. I'll continue to see if I can get more info on this.
 
					
				
		
Cross posting with How do I address "check_for_vulnerable_javascript_library_usage" errors in AppInspect?which sounds like the same question. I'm also hunting for some SMEs who can help.
@diogofgm could you please help here. Appreciate your inputs.
@diogofgm Do you have a solution for this issue? Our add-on is created by the add-on builder and we get an issue with common.js and Splunk Cloud Support colleagues have rejected the add-on. What should be the next step?
