<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/140869>140869</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            CVE-2022-25883 and CVE-2022-3517 with respect to `mlir/utils/vscode/package-lock.json`
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            mlir
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          rolfmorel
      </td>
    </tr>
</table>

<pre>
    ### Summary
Automated checks by Wiz flag up that packages `semver` and `minimatch` have outdated versions in the `package-lock.json` file for the MLIR VSCode extension which lives inside `llvm-project`. These outdated versions have known CVEs which are classified as "high severity" according to the automated emails we are receiving. Our internal security system considers this a serious enough issue to threaten to disconnect the affected machine from the company network.

Note that normal `llvm-project` builds will not involve building the VSCode extension: Wiz is complaining that these (versions of the) packages are even mentioned in the lock file. However, this does mean that the distributed version of the VSCode extension (presumably) comes with the affected package versions.

### Details

Both CVEs concern Regular Expression Denial of Service (ReDoS) vulnerabilities.

Summaries according to the [National Vulnerability Database](https://nvd.nist.gov/):

CVE-2022-3517:
> A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

CVE-2022-25883:
> Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Here are the respective summaries by Wiz:

CVE-2022-3517:
> The library minimatch version 3.0.4 was detected in NPM library manager located at /scratch/tpp-llvm-tar/llvm-project-faf5d747f174cc9d714839f0d3bce1a783eac2ac/mlir/utils/vscode/package-lock.json on line 1198 and is vulnerable to CVE-2022-3517, which exists in versions < 3.0.5.
>
> The vulnerability was found in the [Github Security Advisory](https://github.com/advisories/GHSA-f8q6-p94x-37v3) with vendor severity: High ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-3517) severity: High).
>
> The vulnerability can be remediated by updating the library to version 3.0.5 or higher, using npm update minimatch.

CVE-2022-25883:
> The library semver version 7.3.7 was detected in NPM library manager located at /scratch/tpp-llvm-tar/llvm-project-faf5d747f174cc9d714839f0d3bce1a783eac2ac/mlir/utils/vscode/package-lock.json on line 1905 and is vulnerable to CVE-2022-25883, which exists in versions >= 7.0.0, < 7.5.2.
>
> The vulnerability was found in the [Github Security Advisory](https://github.com/advisories/GHSA-c2qf-rxjj-qqgw) with vendor severity: High ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) severity: High).
>
> The vulnerability can be remediated by updating the library to version 7.5.2 or higher, using npm update semver.


### PoC

All we do is download a checkout of a recent llvm-project version (couple days old as of the creation of the report), in our case as a tar, and unpack it. Our subsequent build does not involve the MLIR VSCode extension, i.e. we do _not_ build it.

As far as we understand, Wiz performs an automated sweep in the background over the checked out files and complains about the contents of `mlir/utils/vscode/package-lock.json` even if the system in question does not have `npm` installed and the files are not used for any build/by any executable.

Manually removing the file from all checkouts seems to have appeased at least one of the vulnerability checkers. We expect that when we obtain a new checkout - and do not delete the lock file - we do get new warnings and machine disconnection threats.

### Impact

Potentially it affects the MLIR VSCode extension that is distributed in the VSCode extension "store". As the CVEs concern Regex DOS and VSCode (mostly) runs locally and without arbitrary network clients, the potential for actual abuse seems low.

### Security vulnerability report

The above was reported as a security vulnerability first (GHSA-g72r-487m-m6hh). That got closed with a request to make it a normal issue. Here we are.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJzUWE1z2zgS_TXwpUssCvqiDjootjWZqk0mFac8xykQbIqIQYAGQMraX7_VACXLdjaeXGZrq3KIQXx0v37d_VrCe7U3iBu2-MAWN1eiD411G2d13VqH-qq01XHD-Cz9g7u-bYU7sny77YNtRcAKZIPywUN5hD_Vv6HWYg99B6ERATohH8QePbBl7rEd0LFlDsJUtNAqo1oRZENrjRgQbB-qeOWAzitrPCgDoUHaPV410VY-ZN-9NXSqVhqhti5u-vSv37_C_d21rRDwKaChK-DQKNmAVgPSbV5V8Tath3bSOfsdZWDLPINvDfofGRDtejD2YOD6_taP1wmHIDWBVyusQHhgnDdq34DHAZ0KR8Y5CCmtq5TZQ7DRQnHGDFuhtIcDxqscSlSDMvsM_ugdKBPQGaHBo-zpMvBHH7AFaaMDzkNolAcBHp2yvQc0tt83oLzvMT3mUAQ09P9KeWmNQRmSDXWNkkxohWyUQaidbeMXadtOmCMYDAfrHjKWb1m-_WwDpmAa61qhf4AelL3SlYeD0hqMDaDMYPWAaT363-CbyLDZNhJG-fiyFsqkrSIa6hEYL85xsDUtMr5-5hQhhwMaaNEEZQ1WJ7oQRyI3MvhoDxQRxq8TZpVFDy0Kc36IAApOlf1F3Mfn3rKJ8aJz6PtWlPpI1kjbInkempfojlaeiTSi-ZxJNxiIAmn5gw1N4pe0RqIz8BX3vRYObp_ovfj2DRolNJl2h25QMgL0FW_sHRky9NqgE6XSKig8vZfyVRFar8nIFh8-C8JNaLi_OHyEGxFEKTyyxQ3jRRNC59lsy_iO8Z0ZqswoH7K9HeLKmj7Ft67vbyc853wyW0xX4-rsFrYvTDvCQXiobW_O0TrXgRNolI3KUyU5gNDaHojqvwzIoUEDUmh9ImDphMTbp47KT90bGWJ5oMj5DqWqlQTh9j2xyRNfKM460GllQLx9LXvlNl8UxezZ7_uX1D0zItVBKLG2DmGVLTIeqXxCSccM_vX4KxGfOXtm8ABfhdkj-RLB6E1wvSd29h4dVCIIyr7O2UFVqYwJcHRkdO0julSg6GKHBFNQA4I_syoV_fco8I1yUpVOuONFtE-5NsvybB5pUWFI2aMMfP7y6fmMMGKPjvI6Vk8RgPGdly52D74LXTeJNSkIx_jusjxNalEvqtV8VU9XcynX1Wo6L2brOq9mpcSpWBUzFJILyfiu1YqO94Hyku8GL22FjO_etB6wBjTVzul0XcR2pvyr-L1EIkaAGgc-KR9iWztXNja7jhAssoTWBWbvJA5bfPhNhaYv4e7UKLbVoLx1xx-l7j7uzaRtGd-JtFEhefrbx7vtpC4el5NuPX-azFbDLGYQ5caAprLuua_NtvCRGh3jBVWQ-5u_USXID8Z3VSx5jO9egbN-czvj6_fQkMJASaxssVKRFeUR-q4S4ZTvJ_YE-4JqC7AOqFenrtB72m-6Nh2-KEfv5PclqcecPj2zymbZ6v-U0et88Q6jEw4_p_Qtm93AKsuznDYSxWOh-x9TXPLHeuKevn-fPD7uD_8MxUe0_jmOp47yc44nvp40yaUs-WKv09JWa5KnlYWomg5GW1GBSGrf9oH6kIjK1QS45OfZEMYLaftOI1Ti6MHq2GHGbihJoF4oLYeddYHkBL-m4NvegRQeU1OKWXAdedkbIi-okLSy70uPjz0ZEdVmEniXIvS_jgbxpQyz0c2_jA1_jZeoMGKz9VALR0YcEHpD2jsIU9FR0q4dutq61oMwF-LeHxC7E4NLIR_2LnLaUo2IzhOGWNG4EWWqj56dVLAHUdKXpMlNID1CMNHI9HfzmVR51MYqwTsOEMrAY48-An8GKo44bJmbrqVjyvggtKaiZKokKZKJDuP23mMVZy6aFSJcjO_KY_wTn1D2gSrGiN8nYXqh9ZE4bIcTa9PYRnOH0PrMKA8esfXE5WiS6DoUPhVHjcIHsAZPfHmVKBFQ5zP4kwLcpWFHhKR7Dgi2DCKqOFJFZwpPoouVjX5VqDHgy_kBJiM59hji0YNwNKWkgJ0mqOcJi3BNs9dbwf972wkZ0uoXS1FVERkVxqnB_2SKjc5QIl7MKiPBfjCjcB-sQ8Z5Btt06-vZAp_g5o-76MV4nvGitT6kqcb1xsfeRAbSJqqThJhwpQqx4oxTIkitToI5qtyTZ4kiMvRCgyh7j2N0tT28geZc219GdawJcTMVR1HaAWOPSF9OktX_-HitnKe2WsTav19xN5kXq3bSLptYfOEbgbq3AaS2xLPYDKimxRwhHrbiAWOATsNvnLAziMI4De_ZVbWZVevZWlzhZrqar4rpajkvrppNIdf1ki_r9XouZVGVyBfr6ZqXyxkWgi_yK7XhOV_kCz7Ni8U8L7LVkpfLBZ9X5TSvS7li8zz-UJBRfc2s21_F9zfTeV4s11dalKh9_OmG81QaOFvcXLlNrMdlv_dsnmtqz883BBU0bl62pxjiF6IsYTFKfkLiF4vPVe_05ie9mcx5pWsY30Xv6O7RwWHD_xMAAP__1NFM-w">