Do I need to install xcpretty to work with HISE on MacOS?
-
Hi all,
How necessary is xcpretty for working with HISE on macOS?
The reason I ask is because the Dependabot and Code Scanning tools on Github list several security issues with it. (You can Fork the code and set them up under Security in Github to see them.)
These are the Dependabot issues:
Dependency Confusion in Bundler High Development
#1 opened 12 minutes ago • Detected in bundler (RubyGems) • xcpretty.gemspecLocal Code Execution through Argument Injection via dash leading git url parameter in Gemfile. Moderate Development
#2 opened 12 minutes ago • Detected in bundler (RubyGems) • xcpretty.gemspecRuboCop gem Insecure use of /tmp Low Development
#3 opened 12 minutes ago • Detected in rubocop (RubyGems) • xcpretty.gemspecAnd these are the Code Scanning Issues:
Inefficient regular expression
High
#10 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:58
masterInefficient regular expression
High
#9 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:58
masterPolynomial regular expression used on uncontrolled data
High
#8 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:481
masterPolynomial regular expression used on uncontrolled data
High
#7 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:462
masterPolynomial regular expression used on uncontrolled data
High
#6 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:459
masterPolynomial regular expression used on uncontrolled data
High
#5 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:433
masterPolynomial regular expression used on uncontrolled data
High
#4 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/parser.rb:316
masterPolynomial regular expression used on uncontrolled data
High
#3 opened 12 minutes ago • Detected by CodeQL in lib/.../reporters/json_compilation_databas...:37
masterPolynomial regular expression used on uncontrolled data
High
#2 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/ansi.rb:61
masterPolynomial regular expression used on uncontrolled data
High
#1 opened 12 minutes ago • Detected by CodeQL in lib/xcpretty/ansi.rb:51TBH I don’t really know what those warnings mean but they have High severity warnings so they look scary.
So, can I get away without using xcpretty?
Thanks!
Isaac Toast
https://isaactoast.live
music for your inner movie soundtrack -
Good question.
-
@clevername27 yeah, also looks abandoned more or less. See:
https://github.com/xcpretty/xcpretty/issues/360 -
@IsaacToast said in Do I need to install xcpretty to work with HISE on MacOS?:
How necessary is xcpretty for working with HISE on macOS?
Try it and report back.
Libre Wave - Freedom respecting instruments and effects
My Patreon - HISE tutorials
YouTube Channel - Public HISE tutorials -
xcpretty is just used to pipe the super verbose build output into something more readable and provides no further functionality at all.
This being said I don‘t care too much about those security warnings - if I was writing a software that does online banking I would make sure that there are no issues like this but a potential buffer overflow in a console text processor will not cause any harm and I can see no scenario where this could become even remotely concerning.
-
Ah, good to know @Christoph-Hart, Thanks..
In that case, I might give it a whirl like you suggest @d-healey.
This being said I don‘t care too much about those security warnings - if I was writing a software that does online banking I would make sure that there are no issues like this but a potential buffer overflow in a console text processor will not cause any harm and I can see no scenario where this could become even remotely concerning.
My concern is that while HISE is not an online banking app, it is still going to be run on the same machines that many people do their online banking on. And if there are known vulnerabilities that can be exploited, there are likely hackers out there trying to exploit them, no?
Of course, I may just be being paranoid out of ignorance. I only know enough to know that supply chain attacks like the one on xz utils are real, but not enough to know how they work. I suppose most attackers might tend to focus on web apps on servers because they aren’t sitting behind multiple layers of NAT, firewalls, etc like desktop clients. So, maybe you are right that a single vulnerability in a console text parser isn’t a big deal.
On the other hand, there may be scenarios one cannot foresee.
For example. multiple small vulnerabilities can be used to create bigger ones when exploited in combination. See:
https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/ That one relied on zero-days to break into fully patched end user devices. I imagine it would be even easier to exploit known vulnerabilities that have gone unpatched.I guess in the end I am just trying to make the case for maybe not shrugging off warnings and using the GitHub tools to mitigate any potential security issues.
Food for thought anyway.
Isaac Toast
https://isaactoast.live
music for your inner movie soundtrack -
@IsaacToast said in Do I need to install xcpretty to work with HISE on MacOS?:
I only know enough to know that supply chain attacks
A supply chain attack doesn't happen with software that's not being updated.
-
@d-healey Good point! Of course, that doesn’t negate the fact that it has multiple known vulns already.
