We're running code scan on Outsystems source code for espaces that is found in Platform Server folder under \share folder.
However we recently encountered a critical finding regarding a weak encryption found in a pdf.js file.
I checked the espace references, there is no component / extension referenced containing this pdf.js file. How to remove this? To remove it from being detected in code scan findings?
We've checked the vulnerability and it seems to be a false positive based on the forum link below:
https://github.com/mozilla/pdf.js/issues/8737
PDF.js is an open-source JavaScript library developed by Mozilla that enables the rendering of Portable Document Format (PDF) files directly within web browsers using HTML5 Canvas.
It's probably part of a PDF Viewer, such as the pdfJS Viewer Reactive module from "PDF Viewer From Binary Data". pdf.js and the rest of the script files are stored as resources; it might be that's why they didn't show in your espace reference searches.
Hope that helps
the problem is this module that I shared does not utilize any PDF related function but still ends up having this file.
What is the path to the pdf.js file? Judging by the date of the pdf.js file, could it be a leftover from a previous deployment or something like that?
Can you delete or rename the pdf.js file, then republish the module? If the file doesn't reappear and everything still works, it must have been a leftover or something.
Otherwise, it must be being deployed as a resource from somewhere, in which case you may need to look inside any referenced modules by cloning them.
Hope that helps.
I found a replacement of the PDF_Viewer which is pdfJSViewer, where its pdf.js file did not have any critical findings.
However, I still have the issue. I have already deleted the PDF_Viewer application which contains the pdf.js file with critical finding, but when I publish the module, the old pdf.js file is still re-created. Even though it is not being referenced by the module.
Did you try any of the previous suggestions I made?
As well, what versions are you using?