Packaged jQuery version is vulnerable #20922
Comments
|
The only thing that should use |
|
Yeah, I kinda figured it wouldn't be directly utilizing in, but I wasn't smart enough to know the "why" that you just provided. I appreciate you clearing that up for me, I just wanted to let you guys know that the scan is as dumb as I am. Thanks for your time though. I Hope any attempt to bump the version goes smoothly, take care! |
|
The version on the current stable site is 3.5.1: https://scikit-learn.org/stable/_static/jquery.js and on the dev site: https://scikit-learn.org/dev/_static/jquery.js The jquery in the repo is not used anymore for generating the site. I opened #20962 to remove the previous sphinx theme. |
Describe the bug
Hello!
Not necessarily a bug, but there wasn't really an option for security issues.
I inherited a project from another team that utilizes scikit-learn v0.24, and when doing a Sonatype NexusIQ dependency scan, it threw a flag for CVE-2020-11023 (link below). I was confused at first, because scikit-learn is a python machine learning application, and the CVE that popped up deals with the jQuery javascript library. I did a "go to file" repository search on github of your project, and did indeed find three jQuery files that all utilize v3.1.1.
So, I'm kinda hoping I'm just an idiot and missing something plain (not too experienced in python project structure or NexusIQ scanning). Either way, when your project is added as a dependency and scanned it does "pop hot". Just wanted to let you guys know in case there is some jQuery utilization in your project.
https://nvd.nist.gov/vuln/detail/CVE-2020-11023
Steps/Code to Reproduce
N/A
Expected Results
N/A
Actual Results
NexusIQ level 6 security vulnerability
Versions
scikit-learn v0.24
jQuery v3.1.1
The text was updated successfully, but these errors were encountered: