Carbon: Got some security issues after scaned by AppScan on Cloud
What package(s) are you using?
- [x]
carbon-components - [ ]
carbon-components-react
Detailed description
Describe in detail the issue you're having.
We used ASoC to scan open source libs we are packaging in our product, some security issues reported by ASoC.
main issues reported:
- Insecure Use of setAttribute
- Insecure HTTP Communication
- Query Insecure Manipulation of Child Node
- Insecure random number
Is this issue related to a specific component?
No.
What did you expect to happen? What happened instead? What would you like to
see changed?
No security issue reported by ASoC because we package carbon in our product.
What browser are you working in?
N/A
What version of the Carbon Design System are you using?
10.6
What offering/product do you work on? Any pressing ship or release dates we
should be aware of?
IBM Service Management UniteSteps to reproduce the issue
- Login ASoC: https://cloud.appscan.com
- Upload source code
- Scan
- Download report
Please create a reduced test case in CodeSandbox
Additional information
- Screenshots or code
- Notes
Bin-Xiong
All 2 comments
Hi @Bin-Xiong thank you for making this issue! We are not able to independently verify this as the logging into ASoC seems to be broken. Is this a blocking issue for your team and could you provide more context about ASoC?
abbeyhrt
on 10 Oct 2019
Had a chat with @Bin-Xiong yesterday, we saw that none of them is directly affecting his team, but we agreed that we avoid Math.random() usage for pre-caution.
asudoh
on 10 Oct 2019
Related issues
jendowns
路
3Comments
emyarod
路
3Comments
xrissot-ibm
路
3Comments
ahoyahoy
路
3Comments
drewdistefano
路
3Comments
Most helpful comment
Had a chat with @Bin-Xiong yesterday, we saw that none of them is directly affecting his team, but we agreed that we avoid
Math.random()usage for pre-caution.