Especially when vulnabilities of certain libraries occur one needs to check if the library is used in some of the projects. In this use case it is the CVE-2022-23529:
node-jsonwebtoken is a JsonWebToken implementation for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library, if a malicious actor has the ability to modify the key retrieval parameter (referring to the `secretOrPublicKey` argument from the readme link of the `jwt.verify()` function, they can write arbitrary files on the host machine. Users are affected only if untrusted entities are allowed to modify the key retrieval parameter of the `jwt.verify()` on a host that you control. This issue has been fixed, please update to version 9.0.0.
Reading the details, we have to find out in which project an old versions of JsonWebToken is used and update them. By using a version control system like GitLab finding this this should be feasable.
Try the build in GitLab search
Alright, hit the search bar and select „Any“ project.
Well, no results. I’m sure that there is a least one project that meets the search criteria. The functionality to search over all repositories is only provided to enterprise users. That’s something GitLab doesn’t provide out of the box for non-enterprise users, therefore we have to use a different approach.
The GitLab instance contains over 300 repositories, searching by hand would be a great job for an intern. But since I want to work efficiently and protect interns from such monotonous tasks, there are the following possibilities.
Use gitlab-search
„This is a command line tool that allows you to search for contents across all your GitLab repositories.“ Well that sounds promising. Phillip Johnsen wrote a useful tool to search the complete GitLab instance.
The first step is to setup the command line tool. In order to do this you need to create an access token
To create an access token navigate to „Profile“ at the right top corner -> „Edit Profile“ -> „Access Token„
Then generate a personal access token with read_api scope for gitlab-search to access the GitLab API. The token looks something like this
glpat-XXXXXXXXXXXXXXXXXXXXInstall gitlab-search using npm
$ npm install -g gitlab-searchTo finish the installation you need to configure the personal access token you’ve created previously and setup gitlab-search
$ gitlab-search setup glpat-XXXXXXXXXXXXXXXXXXXX --api-domain https://gitlab.company.comFor self-managed GitLab it is neccecary to provide the api-domain to the tool, otherwise it won’t work.
Now we can search the GitLab for keywords
$ gitlab-search "jsonwebtoken"
