Search code examples
jquerysecurityazure-devopseslintgithub-advanced-security

How to resolve eslint errors due to use of the html() method in jquery libraries when running security scans with Github advanced security?

We are using Azure Dev Ops pipelines and Github Advanced Security to scan our repositories for security risks.

ESLint is flagging violations for two rules, @microsoft/sdl/no-html-method and @microsoft/sdl/no-inner-html. The problem is that these flags are in jquery, jquery validation, and bootstrap - all very standard libraries which are up-to-date in our code base.

Can this be right? If this is really a "high" severity security vulnerability, then why haven't these issues been fixed? Is there a way to disable these rules in Github Advanced Security? Can Github Advanced Security's architects really be expecting people to just not use those libraries?

We've updated the library versions, all other package versions, it is clear this is an issue with JQuery's own .html() calls internally, and other librarys.

Edit: I don't mean to say that the problem itself is jQuery calling .html(), but that github advanced security flags all occurrences without evaluating context. It's a Github Advanced Security issue, not jQuery, and I'm seeking help to disable this rule or anything that has worked for anyone else.

Solution

  • @Kevin Lu-MSFT's comment resolves this. We can use a configuration file to exclude files and directories from the scan.

    Edit: You have to point your YAML entry to a mdo.gdnconfig:

    - task: MicrosoftSecurityDevOps@1 
  displayName: Microsoft Security DevOps 
  inputs: 
    config: $(Build.SourcesDirectory)/mdo.gdnconfig 
  env: BuildSourcesDirectory: $(Build.SourcesDirectory)

    Then you configure the gdnconfig according to this: github.com/microsoft/security-devops-action/wiki#ESLint-options

    Here's mine:

    {
  "tools": [
    {
      "tool": {
        "name": "ESLint",
        "version": "Latest"
      },
      "arguments": {
        "DisableDefaultConfigurationFile": true,
        "ExclusionsFilePath": "$(BuildSourcesDirectory)/.eslintignore",
        "ConfigurationFile": "D:/a/_msdo/packages/node_modules/eslint/node_modules/@microsoft/eslint-plugin-sdl/config/required.js",
        "Extensions": [".js", ".ts"],
        "ExclusionPatterns": "*.d.ts",
        "OutputFormat": "D:/a/_msdo/packages/node_modules/eslint/node_modules/@microsoft/eslint-formatter-sarif/sarif.js",
        "Targets": "**/*.{js,ts}"
      }
    }
  ]
}

    Finally, add the .eslintignore file, which works like a .gitignore, at the referred location, and add the directories you wish to ignore.