Skip to content

Fix failing scan-pr tests #1263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
eranturgeman merged 1 commit into from
Mar 29, 2026
+4 −4
Merged

Fix failing scan-pr tests #1263

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions testdata/scanpullrequest/expected_response_multi_dir.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
| --------------------- | :-----------------------------------: |
| **Contextual Analysis:** | Not Applicable |
| **CVSS V3:** | 7.5 |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary><br></details> |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary>Fix Version: 3.1.4<br></details> |

### Summary

Expand Down Expand Up @@ -243,7 +243,7 @@ Depth 3 (`*(*(*(a|b)))`, 12 bytes) stalls the Node.js event loop for 7+ seconds
| --------------------- | :-----------------------------------: |
| **Contextual Analysis:** | Not Applicable |
| **CVSS V3:** | 7.5 |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary><br></details> |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary>Fix Version: 3.1.3<br></details> |

### Summary

Expand Down Expand Up @@ -387,7 +387,7 @@ Any application where an attacker can influence the glob pattern passed to `mini
| --------------------- | :-----------------------------------: |
| **Contextual Analysis:** | Not Applicable |
| **CVSS V3:** | 7.5 |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary><br></details> |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary>Fix Version: 3.1.3<br></details> |

### Summary
`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.
Expand Down Expand Up @@ -424,7 +424,7 @@ Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.<br><
| --------------------- | :-----------------------------------: |
| **Contextual Analysis:** | Not Applicable |
| **CVSS V3:** | 7.5 |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary><br></details> |
| **Dependency Path:** | <details><summary><b>minimatch: 3.0.4 (Direct)</b></summary>Fix Version: 3.0.7<br></details> |

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.<br></details>

Expand Down
Loading