Security issues with CLI

[ctwise]

CVE-2019-17571, CVE-2020-5421, and CVE-2020-9488 were all found in the current client. These are:

CVE-2019-17571 - critical - log4j_log4 1.2.17
CVE-2020-5421 - medium - spring-core_spring-core 5.2.4
CVE-2020-9488 - low - log4j_log4j 1.2.17

[kmcdon83]

Hi @ctwise , thank you for reaching out and for providing these details.

We are actively working to address these references (both log4j and spring core) that are found within our common client library in an upcoming release.

We have previously assessed the critical log4j vulnerability and based on the context of our use had deemed it not exploitable. That said, we will ensure this is addressed.

Thanks.

[gitnubster]

How active is this actually? Nearly 2 years further, no progress reported here. No release either.

[gitnubster]

It looks there actually is a newer version. Just not published to the world... something broken in the release chain?

[gitnubster]

I found the download link, but it would be great it becomes available on npmjs.org. There is an old version published 1.0.1. Newer ones aren't there. This makes the package @checkmarx/cx-common-js-client think that 1.0.1 is the latest version also.
Though is marked as optional dependency, see https://github.com/checkmarx-ltd/cx-common-js-client/blob/master/package.json