Moderate severityOSV Advisory· Published Nov 30, 2022· Updated Apr 25, 2025

Command Injection

CVE-2022-22984

Description

The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for CVE-2022-40764. A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted files. In most cases, an attacker positioned to control the command line arguments to the Snyk CLI would already be positioned to execute arbitrary commands. However, this could be abused in specific scenarios, such as continuous integration pipelines, where developers can control the arguments passed to the Snyk CLI to leverage this component as part of a wider attack against an integration/build pipeline. This issue has been addressed in the latest Snyk Docker images available at https://hub.docker.com/r/snyk/snyk as of 2022-11-29. Images downloaded and built prior to that date should be updated. The issue has also been addressed in the Snyk TeamCity CI/CD plugin as of version v20221130.093605.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Snyk CLI and plugins are vulnerable to command injection via crafted flags, allowing arbitrary command execution when scanning untrusted projects.

Vulnerability

Overview

CVE-2022-22984 is a command injection vulnerability affecting multiple Snyk packages, including the Snyk CLI, snyk-mvn-plugin, snyk-gradle-plugin, and others. It arises from an incomplete fix for CVE-2022-40764, where improper escaping of command line arguments allows attackers to inject arbitrary commands [1][2]. The root cause is that certain plugins did not properly sanitize user-supplied arguments when constructing shell commands, enabling injection through crafted flags.

Exploitation

Scenario

An attacker can exploit this vulnerability by providing specially crafted command line flags to the snyk test command when it is run on untrusted files. The attack requires user interaction—the victim must execute the Snyk CLI on attacker-controlled input. In continuous integration (CI) pipelines, where developers may control arguments passed to Snyk, this can be leveraged as part of a broader attack against the build system [2]. The vulnerability is remotely exploitable over the network but requires low privileges and no user interaction beyond the initial command execution [4].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the host system where the Snyk CLI is installed. This can lead to unauthorized access to sensitive data, modification of files, or installation of malicious software [2]. The impact is limited to the scope of the user running the Snyk CLI, but in CI environments, this could compromise the entire build pipeline.

Mitigation

Snyk has released patches for all affected packages: Snyk CLI version 1.1064.0 and later, and corresponding updates for each plugin (e.g., snyk-gradle-plugin 3.24.5, snyk-mvn-plugin 2.31.3). Updated Docker images are available as of 2022-11-29, and the Snyk TeamCity CI/CD plugin has been fixed in version v20221130.093605 [1][4]. Users are strongly advised to update to the latest versions to mitigate this vulnerability.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
snyknpm	< 1.1064.0	1.1064.0
snyk-mvn-pluginnpm	< 2.31.3	2.31.3
snyk-sbt-pluginnpm	< 2.16.2	2.16.2
snyk-python-pluginnpm	< 1.24.2	1.24.2
@snyk/snyk-hex-pluginnpm	< 1.1.6	1.1.6
snyk-gradle-pluginnpm	< 3.24.5	3.24.5
snyk-docker-pluginnpm	< 5.6.5	5.6.5
@snyk/snyk-cocoapods-pluginnpm	< 2.5.3	2.5.3

Affected products

Snyk/CliOSV
Range: released-20160927-142645, v1.0.0, v1.0.1, …
ghsa-coords8 versions
pkg:npm/%40snyk/snyk-cocoapods-plugin pkg:npm/%40snyk/snyk-hex-plugin pkg:npm/snyk pkg:npm/snyk-docker-plugin pkg:npm/snyk-gradle-plugin pkg:npm/snyk-mvn-plugin pkg:npm/snyk-python-plugin pkg:npm/snyk-sbt-plugin
< 2.5.3+ 7 more
- (no CPE)range: < 2.5.3
- (no CPE)range: < 1.1.6
- (no CPE)range: < 1.1064.0
- (no CPE)range: < 5.6.5
- (no CPE)range: < 3.24.5
- (no CPE)range: < 2.31.3
- (no CPE)range: < 1.24.2
- (no CPE)range: < 2.16.2

Patches

e8dd2a330b40

fix: quote spawn args

https://github.com/snyk/snyk-hex-pluginXujia ZhouNov 29, 2022via ghsa

commit

3 files changed · +11 −3

lib/sub-process.ts+2 −0 modified

@@ -1,5 +1,6 @@
 import * as childProcess from 'child_process';
 import { debug } from './debug';
+import { quoteAll } from 'shescape';
 
 export function execute(
   command: string,
@@ -12,6 +13,7 @@ export function execute(
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   return new Promise((resolve, reject) => {
     let stdout = '';

package.json+1 −0 modified

@@ -33,6 +33,7 @@
     "@snyk/dep-graph": "^1.28.0",
     "@snyk/mix-parser": "^1.1.1",
     "debug": "^4.3.1",
+    "shescape": "1.6.1",
     "tmp": "^0.0.33",
     "tslib": "^2.0.0",
     "upath": "2.0.1"

.snyk+8 −3 modified

@@ -1,5 +1,10 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.13.5
-ignore: {}
-# patches apply the minimum changes required to fix a vulnerability
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:08:41.608Z
+        created: 2022-11-29T08:08:41.611Z
 patch: {}

8591abdd9236

fix: quote spawn args

https://github.com/snyk/snyk-python-pluginXujia ZhouNov 29, 2022via ghsa

commit

3 files changed · +15 −0

lib/dependencies/sub-process.ts+3 −0 modified

@@ -1,4 +1,5 @@
 import { spawn, spawnSync, SpawnOptions } from 'child_process';
+import { quoteAll } from 'shescape';
 
 interface ProcessOptions {
   cwd?: string;
@@ -22,6 +23,7 @@ export function execute(
   options?: ProcessOptions
 ): Promise<string> {
   const spawnOptions = makeSpawnOptions(options);
+  args = quoteAll(args, spawnOptions);
   return new Promise((resolve, reject) => {
     let stdout = '';
     let stderr = '';
@@ -49,6 +51,7 @@ export function executeSync(
   options?: ProcessOptions
 ) {
   const spawnOptions = makeSpawnOptions(options);
+  args = quoteAll(args, spawnOptions);
 
   return spawnSync(command, args, spawnOptions);
 }

package.json+1 −0 modified

@@ -25,6 +25,7 @@
   "dependencies": {
     "@snyk/cli-interface": "^2.11.2",
     "@snyk/dep-graph": "^1.28.1",
+    "shescape": "1.6.1",
     "snyk-poetry-lockfile-parser": "^1.1.7",
     "tmp": "0.2.1"
   },

.snyk+11 −0 added

@@ -0,0 +1,11 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:08:41.608Z
+        created: 2022-11-29T08:08:41.611Z
+patch: {}
+

80d97a933264

fix: escape child process arguments

https://github.com/snyk/cligitphillNov 29, 2022via ghsa

commit

2 files changed · +60 −48

package.json+6 −6 modified

@@ -67,8 +67,8 @@
     "@snyk/docker-registry-v2-client": "^2.7.3",
     "@snyk/fix": "file:packages/snyk-fix",
     "@snyk/gemfile": "1.2.0",
-    "@snyk/snyk-cocoapods-plugin": "2.5.2",
-    "@snyk/snyk-hex-plugin": "1.1.4",
+    "@snyk/snyk-cocoapods-plugin": "2.5.3",
+    "@snyk/snyk-hex-plugin": "1.1.6",
     "@types/jest-json-schema": "^6.1.1",
     "@types/marked": "^4.0.0",
     "abbrev": "^1.1.1",
@@ -113,18 +113,18 @@
     "semver": "^6.0.0",
     "snyk-config": "4.0.0",
     "snyk-cpp-plugin": "2.20.1",
-    "snyk-docker-plugin": "^5.6.4",
+    "snyk-docker-plugin": "5.6.5",
     "snyk-go-plugin": "^1.19.4",
     "snyk-gradle-plugin": "3.24.6",
     "snyk-module": "3.1.0",
-    "snyk-mvn-plugin": "2.31.2",
+    "snyk-mvn-plugin": "2.31.3",
     "snyk-nodejs-lockfile-parser": "1.44.0",
     "snyk-nuget-plugin": "1.23.5",
     "snyk-php-plugin": "1.9.2",
     "snyk-policy": "^1.25.0",
-    "snyk-python-plugin": "1.24.1",
+    "snyk-python-plugin": "1.24.2",
     "snyk-resolve-deps": "4.7.3",
-    "snyk-sbt-plugin": "2.16.1",
+    "snyk-sbt-plugin": "2.16.2",
     "strip-ansi": "^5.2.0",
     "tar": "^6.1.2",
     "uuid": "^8.3.2",

package-lock.json+54 −42 modified

@@ -20,8 +20,8 @@
         "@snyk/docker-registry-v2-client": "^2.7.3",
         "@snyk/fix": "file:packages/snyk-fix",
         "@snyk/gemfile": "1.2.0",
-        "@snyk/snyk-cocoapods-plugin": "2.5.2",
-        "@snyk/snyk-hex-plugin": "1.1.4",
+        "@snyk/snyk-cocoapods-plugin": "2.5.3",
+        "@snyk/snyk-hex-plugin": "1.1.6",
         "@types/jest-json-schema": "^6.1.1",
         "@types/marked": "^4.0.0",
         "abbrev": "^1.1.1",
@@ -66,18 +66,18 @@
         "semver": "^6.0.0",
         "snyk-config": "4.0.0",
         "snyk-cpp-plugin": "2.20.1",
-        "snyk-docker-plugin": "^5.6.4",
+        "snyk-docker-plugin": "5.6.5",
         "snyk-go-plugin": "^1.19.4",
         "snyk-gradle-plugin": "3.24.6",
         "snyk-module": "3.1.0",
-        "snyk-mvn-plugin": "2.31.2",
+        "snyk-mvn-plugin": "2.31.3",
         "snyk-nodejs-lockfile-parser": "1.44.0",
         "snyk-nuget-plugin": "1.23.5",
         "snyk-php-plugin": "1.9.2",
         "snyk-policy": "^1.25.0",
-        "snyk-python-plugin": "1.24.1",
+        "snyk-python-plugin": "1.24.2",
         "snyk-resolve-deps": "4.7.3",
-        "snyk-sbt-plugin": "2.16.1",
+        "snyk-sbt-plugin": "2.16.2",
         "strip-ansi": "^5.2.0",
         "tar": "^6.1.2",
         "uuid": "^8.3.2",
@@ -2234,13 +2234,14 @@
       }
     },
     "node_modules/@snyk/snyk-cocoapods-plugin": {
-      "version": "2.5.2",
-      "resolved": "https://registry.npmjs.org/@snyk/snyk-cocoapods-plugin/-/snyk-cocoapods-plugin-2.5.2.tgz",
-      "integrity": "sha512-WHhnwyoGOhjFOjBXqUfszD84SErrtjHjium/4xFbqKpEE+yuwxs8OwV/S29BtxhYiGtjpD1azv5QtH30VUMl0A==",
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/@snyk/snyk-cocoapods-plugin/-/snyk-cocoapods-plugin-2.5.3.tgz",
+      "integrity": "sha512-BMaE6jB2r57X6G8woGDhd+YjZ20kptRB+uXrpRFHf2PB+zQR2Ej5Vv8WKRkCCEK4Esi8hu/07b2HJiFX9DlR/A==",
       "dependencies": {
         "@snyk/cli-interface": "^2.11.0",
         "@snyk/cocoapods-lockfile-parser": "3.6.2",
         "@snyk/dep-graph": "^1.23.1",
+        "shescape": "1.6.1",
         "source-map-support": "^0.5.7",
         "tslib": "^2.0.0"
       },
@@ -2293,13 +2294,14 @@
       }
     },
     "node_modules/@snyk/snyk-hex-plugin": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@snyk/snyk-hex-plugin/-/snyk-hex-plugin-1.1.4.tgz",
-      "integrity": "sha512-kLfFGckSmyKe667UGPyWzR/H7/Trkt4fD8O/ktElOx1zWgmivpLm0Symb4RCfEmz9irWv+N6zIKRrfSNdytcPQ==",
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/@snyk/snyk-hex-plugin/-/snyk-hex-plugin-1.1.6.tgz",
+      "integrity": "sha512-6pe8O72QKiRCmS2X5sPZ0YUdE6F246GY1mNifNvU3upeTJWS3TRkhZ8P7vrIZ/Eo6o94hItUekB94aQwGq2s6A==",
       "dependencies": {
         "@snyk/dep-graph": "^1.28.0",
         "@snyk/mix-parser": "^1.1.1",
         "debug": "^4.3.1",
+        "shescape": "1.6.1",
         "tmp": "^0.0.33",
         "tslib": "^2.0.0",
         "upath": "2.0.1"
@@ -16482,9 +16484,9 @@
       "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
     },
     "node_modules/snyk-docker-plugin": {
-      "version": "5.6.4",
-      "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-5.6.4.tgz",
-      "integrity": "sha512-cdzJT747CN66TkU+3zBlJ3V7X1X404YB3TYnJTvxg4DL/0kZ9LvVpZ2AXWlGtd/lcr91gO/O//dAsl4tJwKUFg==",
+      "version": "5.6.5",
+      "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-5.6.5.tgz",
+      "integrity": "sha512-JOBkAaUaJBXj4xQ7Dc/tNQZBSaY8g3BHm/sAkyABSVs0g/vpX8rZkqcr1MhTP5jFsDL5TYVinD+coAR31k2j3A==",
       "dependencies": {
         "@snyk/composer-lockfile-parser": "^1.4.1",
         "@snyk/dep-graph": "^2.3.0",
@@ -16500,6 +16502,7 @@
         "gunzip-maybe": "^1.4.2",
         "mkdirp": "^1.0.4",
         "semver": "^7.3.4",
+        "shescape": "1.6.1",
         "snyk-nodejs-lockfile-parser": "1.40.0",
         "snyk-poetry-lockfile-parser": "^1.1.7",
         "tar-stream": "^2.1.0",
@@ -16909,15 +16912,16 @@
       "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
     },
     "node_modules/snyk-mvn-plugin": {
-      "version": "2.31.2",
-      "resolved": "https://registry.npmjs.org/snyk-mvn-plugin/-/snyk-mvn-plugin-2.31.2.tgz",
-      "integrity": "sha512-/yqn40AYWxI4UKTEpDTa1xRi3NcSSjfEMzoD0Jlc0qI/z+mRMjRsJjxske38LLOcDeUsoPfSQNv97DUpMedDgA==",
+      "version": "2.31.3",
+      "resolved": "https://registry.npmjs.org/snyk-mvn-plugin/-/snyk-mvn-plugin-2.31.3.tgz",
+      "integrity": "sha512-VX/KnqXLRycRQDowOtGuJru4b52wCMpfNIoZDneOqJBSLlZZ0Rb/KNueUtJbT2vm6fZln5bdEXEoME3GX/6bPw==",
       "dependencies": {
         "@snyk/cli-interface": "2.11.3",
         "@snyk/dep-graph": "^1.23.1",
         "debug": "^4.1.1",
         "glob": "^7.1.6",
         "needle": "^2.5.0",
+        "shescape": "1.6.1",
         "tslib": "^2.4.0"
       }
     },
@@ -17206,12 +17210,13 @@
       "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A=="
     },
     "node_modules/snyk-python-plugin": {
-      "version": "1.24.1",
-      "resolved": "https://registry.npmjs.org/snyk-python-plugin/-/snyk-python-plugin-1.24.1.tgz",
-      "integrity": "sha512-u52RAf9T20NsiDLZ798whQLQ/2lWZdDRRFT2GYqyl7oLr5yUD2+SG14d7Phy+ca4Vn7vwKbIQpxXwtUlbRKmVw==",
+      "version": "1.24.2",
+      "resolved": "https://registry.npmjs.org/snyk-python-plugin/-/snyk-python-plugin-1.24.2.tgz",
+      "integrity": "sha512-jzCBREfDGYLizRse8dFdZwx09tCh4p2z5HdA2zwdHj9Rl+LOKQUMrvr1elZGSt244WYqR3rdsObztrh3mDPWVQ==",
       "dependencies": {
         "@snyk/cli-interface": "^2.11.2",
         "@snyk/dep-graph": "^1.28.1",
+        "shescape": "1.6.1",
         "snyk-poetry-lockfile-parser": "^1.1.7",
         "tmp": "0.2.1"
       }
@@ -17306,12 +17311,13 @@
       "integrity": "sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI="
     },
     "node_modules/snyk-sbt-plugin": {
-      "version": "2.16.1",
-      "resolved": "https://registry.npmjs.org/snyk-sbt-plugin/-/snyk-sbt-plugin-2.16.1.tgz",
-      "integrity": "sha512-SUgPMLmHYa76iwM875tP/8K/10gzZfTPUEJsCkI0bA8TQPimiFDqyrB1mhNLo2NPV8YnqIHwFZgx56ibwywPKQ==",
+      "version": "2.16.2",
+      "resolved": "https://registry.npmjs.org/snyk-sbt-plugin/-/snyk-sbt-plugin-2.16.2.tgz",
+      "integrity": "sha512-aeciSOwj6GFLV9NdBrTvtbPoa5SxEWUSZaFC0MQYtaHMfCvQlLWSbcxjK4cqaCp31472tT63C9AKPla/ycn+5g==",
       "dependencies": {
         "debug": "^4.1.1",
         "semver": "^6.1.2",
+        "shescape": "1.6.1",
         "tmp": "^0.1.0",
         "tree-kill": "^1.2.2",
         "tslib": "^1.10.0"
@@ -21784,13 +21790,14 @@
       }
     },
     "@snyk/snyk-cocoapods-plugin": {
-      "version": "2.5.2",
-      "resolved": "https://registry.npmjs.org/@snyk/snyk-cocoapods-plugin/-/snyk-cocoapods-plugin-2.5.2.tgz",
-      "integrity": "sha512-WHhnwyoGOhjFOjBXqUfszD84SErrtjHjium/4xFbqKpEE+yuwxs8OwV/S29BtxhYiGtjpD1azv5QtH30VUMl0A==",
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/@snyk/snyk-cocoapods-plugin/-/snyk-cocoapods-plugin-2.5.3.tgz",
+      "integrity": "sha512-BMaE6jB2r57X6G8woGDhd+YjZ20kptRB+uXrpRFHf2PB+zQR2Ej5Vv8WKRkCCEK4Esi8hu/07b2HJiFX9DlR/A==",
       "requires": {
         "@snyk/cli-interface": "^2.11.0",
         "@snyk/cocoapods-lockfile-parser": "3.6.2",
         "@snyk/dep-graph": "^1.23.1",
+        "shescape": "1.6.1",
         "source-map-support": "^0.5.7",
         "tslib": "^2.0.0"
       },
@@ -21832,13 +21839,14 @@
       }
     },
     "@snyk/snyk-hex-plugin": {
-      "version": "1.1.4",
-      "resolved": "https://registry.npmjs.org/@snyk/snyk-hex-plugin/-/snyk-hex-plugin-1.1.4.tgz",
-      "integrity": "sha512-kLfFGckSmyKe667UGPyWzR/H7/Trkt4fD8O/ktElOx1zWgmivpLm0Symb4RCfEmz9irWv+N6zIKRrfSNdytcPQ==",
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/@snyk/snyk-hex-plugin/-/snyk-hex-plugin-1.1.6.tgz",
+      "integrity": "sha512-6pe8O72QKiRCmS2X5sPZ0YUdE6F246GY1mNifNvU3upeTJWS3TRkhZ8P7vrIZ/Eo6o94hItUekB94aQwGq2s6A==",
       "requires": {
         "@snyk/dep-graph": "^1.28.0",
         "@snyk/mix-parser": "^1.1.1",
         "debug": "^4.3.1",
+        "shescape": "1.6.1",
         "tmp": "^0.0.33",
         "tslib": "^2.0.0",
         "upath": "2.0.1"
@@ -32842,9 +32850,9 @@
       }
     },
     "snyk-docker-plugin": {
-      "version": "5.6.4",
-      "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-5.6.4.tgz",
-      "integrity": "sha512-cdzJT747CN66TkU+3zBlJ3V7X1X404YB3TYnJTvxg4DL/0kZ9LvVpZ2AXWlGtd/lcr91gO/O//dAsl4tJwKUFg==",
+      "version": "5.6.5",
+      "resolved": "https://registry.npmjs.org/snyk-docker-plugin/-/snyk-docker-plugin-5.6.5.tgz",
+      "integrity": "sha512-JOBkAaUaJBXj4xQ7Dc/tNQZBSaY8g3BHm/sAkyABSVs0g/vpX8rZkqcr1MhTP5jFsDL5TYVinD+coAR31k2j3A==",
       "requires": {
         "@snyk/composer-lockfile-parser": "^1.4.1",
         "@snyk/dep-graph": "^2.3.0",
@@ -32860,6 +32868,7 @@
         "gunzip-maybe": "^1.4.2",
         "mkdirp": "^1.0.4",
         "semver": "^7.3.4",
+        "shescape": "1.6.1",
         "snyk-nodejs-lockfile-parser": "1.40.0",
         "snyk-poetry-lockfile-parser": "^1.1.7",
         "tar-stream": "^2.1.0",
@@ -33182,15 +33191,16 @@
       }
     },
     "snyk-mvn-plugin": {
-      "version": "2.31.2",
-      "resolved": "https://registry.npmjs.org/snyk-mvn-plugin/-/snyk-mvn-plugin-2.31.2.tgz",
-      "integrity": "sha512-/yqn40AYWxI4UKTEpDTa1xRi3NcSSjfEMzoD0Jlc0qI/z+mRMjRsJjxske38LLOcDeUsoPfSQNv97DUpMedDgA==",
+      "version": "2.31.3",
+      "resolved": "https://registry.npmjs.org/snyk-mvn-plugin/-/snyk-mvn-plugin-2.31.3.tgz",
+      "integrity": "sha512-VX/KnqXLRycRQDowOtGuJru4b52wCMpfNIoZDneOqJBSLlZZ0Rb/KNueUtJbT2vm6fZln5bdEXEoME3GX/6bPw==",
       "requires": {
         "@snyk/cli-interface": "2.11.3",
         "@snyk/dep-graph": "^1.23.1",
         "debug": "^4.1.1",
         "glob": "^7.1.6",
         "needle": "^2.5.0",
+        "shescape": "1.6.1",
         "tslib": "^2.4.0"
       },
       "dependencies": {
@@ -33445,12 +33455,13 @@
       }
     },
     "snyk-python-plugin": {
-      "version": "1.24.1",
-      "resolved": "https://registry.npmjs.org/snyk-python-plugin/-/snyk-python-plugin-1.24.1.tgz",
-      "integrity": "sha512-u52RAf9T20NsiDLZ798whQLQ/2lWZdDRRFT2GYqyl7oLr5yUD2+SG14d7Phy+ca4Vn7vwKbIQpxXwtUlbRKmVw==",
+      "version": "1.24.2",
+      "resolved": "https://registry.npmjs.org/snyk-python-plugin/-/snyk-python-plugin-1.24.2.tgz",
+      "integrity": "sha512-jzCBREfDGYLizRse8dFdZwx09tCh4p2z5HdA2zwdHj9Rl+LOKQUMrvr1elZGSt244WYqR3rdsObztrh3mDPWVQ==",
       "requires": {
         "@snyk/cli-interface": "^2.11.2",
         "@snyk/dep-graph": "^1.28.1",
+        "shescape": "1.6.1",
         "snyk-poetry-lockfile-parser": "^1.1.7",
         "tmp": "0.2.1"
       },
@@ -33534,12 +33545,13 @@
       }
     },
     "snyk-sbt-plugin": {
-      "version": "2.16.1",
-      "resolved": "https://registry.npmjs.org/snyk-sbt-plugin/-/snyk-sbt-plugin-2.16.1.tgz",
-      "integrity": "sha512-SUgPMLmHYa76iwM875tP/8K/10gzZfTPUEJsCkI0bA8TQPimiFDqyrB1mhNLo2NPV8YnqIHwFZgx56ibwywPKQ==",
+      "version": "2.16.2",
+      "resolved": "https://registry.npmjs.org/snyk-sbt-plugin/-/snyk-sbt-plugin-2.16.2.tgz",
+      "integrity": "sha512-aeciSOwj6GFLV9NdBrTvtbPoa5SxEWUSZaFC0MQYtaHMfCvQlLWSbcxjK4cqaCp31472tT63C9AKPla/ycn+5g==",
       "requires": {
         "debug": "^4.1.1",
         "semver": "^6.1.2",
+        "shescape": "1.6.1",
         "tmp": "^0.1.0",
         "tree-kill": "^1.2.2",
         "tslib": "^1.10.0"

c73e049c5200

fix: quote args

https://github.com/snyk/snyk-cocoapods-pluginLucian RosuNov 29, 2022via ghsa

commit

4 files changed · +13 −3

lib/sub-process.ts+3 −0 modified

@@ -1,4 +1,5 @@
 import * as childProcess from 'child_process';
+import { quoteAll } from 'shescape';
 
 export function execute(
   command: string,
@@ -13,6 +14,8 @@ export function execute(
     spawnOptions.cwd = options.cwd;
   }
 
+  args = quoteAll(args, spawnOptions);
+
   return new Promise((resolve, reject) => {
     let stdout = '';
     let stderr = '';

package.json+1 −0 modified

@@ -34,6 +34,7 @@
     "@snyk/cli-interface": "^2.11.0",
     "@snyk/cocoapods-lockfile-parser": "3.6.2",
     "@snyk/dep-graph": "^1.23.1",
+    "shescape": "1.6.1",
     "source-map-support": "^0.5.7",
     "tslib": "^2.0.0"
   },

.snyk+8 −2 modified

@@ -1,6 +1,12 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.13.5
-ignore: {}
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2022-12-29T09:11:54.820Z
+        created: 2022-11-29T09:11:54.829Z
 # patches apply the minimum changes required to fix a vulnerability
 patch:
   SNYK-JS-LODASH-450202:

test/lib/sub-process.test.ts+1 −1 modified

@@ -27,7 +27,7 @@ describe('execute()', () => {
 
   test('Considers option.cwd', async () => {
     await expect(
-      subProcess.execute('basename', ['$PWD'], { cwd: __dirname }),
+      subProcess.execute('basename $PWD', [], { cwd: __dirname }),
     ).resolves.toEqual('lib\n');
   });

02cda9ba1ea3

fix: escape child process arguments

https://github.com/snyk/snyk-mvn-plugingitphillNov 29, 2022via ghsa

commit

3 files changed · +15 −0

lib/sub-process.ts+4 −0 modified

@@ -1,5 +1,6 @@
 import * as childProcess from 'child_process';
 import { debug } from './index';
+import { quoteAll } from 'shescape';
 
 export function execute(command, args, options): Promise<string> {
   const spawnOptions: {
@@ -9,6 +10,9 @@ export function execute(command, args, options): Promise<string> {
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  if (args) {
+    args = quoteAll(args, spawnOptions);
+  }
 
   return new Promise((resolve, reject) => {
     let stdout = '';

package.json+1 −0 modified

@@ -48,6 +48,7 @@
     "debug": "^4.1.1",
     "glob": "^7.1.6",
     "needle": "^2.5.0",
+    "shescape": "1.6.1",
     "tslib": "^2.4.0"
   }
 }

.snyk+10 −0 added

@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:08:41.608Z
+        created: 2022-11-29T08:08:41.611Z
+patch: {}

99c09eb12c9f

fix: escape child process arguments

https://github.com/snyk/snyk-sbt-plugingitphillNov 29, 2022via ghsa

commit

5 files changed · +21 −8

lib/index.ts+1 −1 modified

@@ -265,7 +265,7 @@ export function buildArgs(
   isOutputGraph?: boolean,
 ) {
   // force plain output so we don't have to parse colour codes
-  let args = ['"-Dsbt.log.noformat=true"'];
+  let args = ['-Dsbt.log.noformat=true'];
   if (sbtArgs) {
     args = args.concat(sbtArgs);
   }

lib/sub-process.ts+2 −0 modified

@@ -1,6 +1,7 @@
 import * as childProcess from 'child_process';
 import * as treeKill from 'tree-kill';
 import * as debugModule from 'debug';
+import { quoteAll } from 'shescape';
 
 // To enable debugging output, run the CLI as `DEBUG=snyk-sbt-plugin snyk ...`
 const debugLogging = debugModule('snyk-sbt-plugin');
@@ -18,6 +19,7 @@ export const execute = (
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   return new Promise((resolve, reject) => {
     const out = {

package.json+1 −0 modified

@@ -44,6 +44,7 @@
   "dependencies": {
     "debug": "^4.1.1",
     "semver": "^6.1.2",
+    "shescape": "1.6.1",
     "tmp": "^0.1.0",
     "tree-kill": "^1.2.2",
     "tslib": "^1.10.0"

.snyk+10 −0 added

@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.19.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:01:32.423Z
+        created: 2022-11-29T08:01:32.424Z
+patch: {}

test/functional/sbt-plugin.test.ts+7 −7 modified

@@ -7,7 +7,7 @@ test('check build args with array not coursier', (t) => {
     '-Pjaxen',
   ], false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis',
     '-Pjaxen',
     'dependencyTree',
@@ -18,7 +18,7 @@ test('check build args with array not coursier', (t) => {
 test('check build args with string not coursie', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'dependencyTree',
   ]);
@@ -31,7 +31,7 @@ test('check build args with array for coursier', (t) => {
     '-Pjaxen',
   ], true);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis',
     '-Pjaxen',
     'coursierDependencyTree',
@@ -42,7 +42,7 @@ test('check build args with array for coursier', (t) => {
 test('check build args with string for coursier', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', true);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'coursierDependencyTree',
   ]);
@@ -52,7 +52,7 @@ test('check build args with string for coursier', (t) => {
 test('check build args with string for snykRenderTree', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', false, true);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'snykRenderTree',
   ]);
@@ -62,7 +62,7 @@ test('check build args with string for snykRenderTree', (t) => {
 test('check build args with string for coursier and not snykRenderTree', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', true, false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'coursierDependencyTree',
   ]);
@@ -72,7 +72,7 @@ test('check build args with string for coursier and not snykRenderTree', (t) =>
 test('check build args with string for not coursier and not snykRenderTree', (t) => {
   const result = plugin.buildArgs('-Paxis -Pjaxen', false, false);
   t.deepEqual(result, [
-    '"-Dsbt.log.noformat=true\"',
+    '-Dsbt.log.noformat=true',
     '-Paxis -Pjaxen',
     'dependencyTree',
   ]);

bb1c1c72a75e

fix: escape child process arguments

https://github.com/snyk/snyk-gradle-pluginJas KunerNov 14, 2022via ghsa

commit

5 files changed · +39 −41

lib/index.ts+12 −27 modified

@@ -37,9 +37,6 @@ export function debugLog(s: string) {
   logger(s);
 }
 
-const isWin = /^win/.test(os.platform());
-const quot = isWin ? '"' : "'";
-
 const cannotResolveVariantMarkers = [
   'Cannot choose between the following',
   'Could not select value from candidates',
@@ -115,6 +112,7 @@ export async function inspect(
   let subProject = (options as api.SingleSubprojectInspectOptions).subProject;
   if (subProject) {
     subProject = subProject.trim();
+    (options as api.SingleSubprojectInspectOptions).subProject = subProject;
   }
   const plugin: api.PluginMetadata = {
     name: 'bundled:gradle',
@@ -671,13 +669,6 @@ function getCommand(root: string, targetFile: string) {
   return 'gradle';
 }
 
-export function formatArgWithWhiteSpace(arg: string): string {
-  if (/\s/.test(arg)) {
-    return quot + arg + quot;
-  }
-  return arg;
-}
-
 function buildArgs(
   root: string,
   targetFile: string | null,
@@ -692,31 +683,25 @@ function buildArgs(
   args.push(taskName, '-q');
 
   if (targetFile) {
-    if (!fs.existsSync(path.resolve(root, targetFile))) {
-      throw new Error('File not found: "' + targetFile + '"');
+    const resolvedTargetFilePath = path.resolve(root, targetFile);
+    if (!fs.existsSync(resolvedTargetFilePath)) {
+      throw new Error('File not found: "' + resolvedTargetFilePath + '"');
     }
     args.push('--build-file');
 
-    const formattedTargetFile = formatArgWithWhiteSpace(targetFile);
-    args.push(formattedTargetFile);
+    args.push(resolvedTargetFilePath);
   }
 
   // Arguments to init script are supplied as properties: https://stackoverflow.com/a/48370451
   if (options['configuration-matching']) {
-    args.push(
-      `-Pconfiguration=${quot}${options['configuration-matching']}${quot}`,
-    );
+    args.push(`-Pconfiguration=${options['configuration-matching']}`);
   }
   if (options['configuration-attributes']) {
-    args.push(
-      `-PconfAttr=${quot}${options['configuration-attributes']}${quot}`,
-    );
+    args.push(`-PconfAttr=${options['configuration-attributes']}`);
   }
 
   if (options.initScript) {
-    const formattedInitScript = formatArgWithWhiteSpace(
-      path.resolve(options.initScript),
-    );
+    const formattedInitScript = path.resolve(options.initScript);
     args.push('--init-script', formattedInitScript);
   }
 
@@ -738,7 +723,7 @@ function buildArgs(
     args.push('-PonlySubProject=' + (options.subProject || '.'));
   }
 
-  args.push('-I ' + initGradlePath);
+  args.push('-I', initGradlePath);
 
   if (options.args) {
     args.push(...options.args);
@@ -751,16 +736,16 @@ function buildArgs(
     // Transform --configuration=foo
     args[i] = a.replace(
       /^--configuration[= ]([a-zA-Z_]+)/,
-      `-Pconfiguration=${quot}^$1$$${quot}`,
+      `-Pconfiguration=^$1$$`,
     );
     // Transform --configuration foo
     if (a === '--configuration') {
-      args[i] = `-Pconfiguration=${quot}^${args[i + 1]}$${quot}`;
+      args[i] = `-Pconfiguration=^${args[i + 1]}$`;
       args[i + 1] = '';
     }
   });
 
-  return args;
+  return args.filter(Boolean);
 }
 
 export const exportsForTests = {

lib/sub-process.ts+2 −0 modified

@@ -1,5 +1,6 @@
 import * as childProcess from 'child_process';
 import debugModule = require('debug');
+import { quoteAll } from 'shescape';
 
 const debugLogging = debugModule('snyk-gradle-plugin');
 
@@ -14,6 +15,7 @@ export function execute(
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   return new Promise((resolve, reject) => {
     let stdout = '';

package.json+1 −0 modified

@@ -51,6 +51,7 @@
     "debug": "^4.1.1",
     "p-map": "^4.0.0",
     "packageurl-js": "^1.0.0",
+    "shescape": "1.6.1",
     "tmp": "0.2.1",
     "tslib": "^2.0.0"
   },

.snyk+10 −0 added

@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: Snyk CLI handles MPL-2.0 by appending dependency to snyk --about
+        expires: 2122-12-14T13:33:15.042Z
+        created: 2022-11-14T13:33:15.045Z
+patch: {}

test/functional/gradle-plugin.spec.ts+14 −14 modified

@@ -1,8 +1,4 @@
 import { exportsForTests as testableMethods } from '../../lib';
-import * as os from 'os';
-
-const isWin = /^win/.test(os.platform());
-const quot = isWin ? '"' : "'";
 
 const JEST_TIMEOUT = 15000;
 
@@ -16,7 +12,8 @@ describe('Gradle Plugin', () => {
       '-Dorg.gradle.parallel=',
       '-Dorg.gradle.console=plain',
       '-PonlySubProject=.',
-      '-I /tmp/init.gradle',
+      '-I',
+      '/tmp/init.gradle',
     ]);
   });
 
@@ -28,12 +25,13 @@ describe('Gradle Plugin', () => {
     expect(result).toEqual([
       'snykResolvedDepsJson',
       '-q',
-      `-Pconfiguration=${quot}confRegex${quot}`,
+      `-Pconfiguration=confRegex`,
       '--no-daemon',
       '-Dorg.gradle.parallel=',
       '-Dorg.gradle.console=plain',
       '-PonlySubProject=.',
-      '-I /tmp/init.gradle',
+      '-I',
+      '/tmp/init.gradle',
       '--build-file',
       'build.gradle',
     ]);
@@ -48,11 +46,12 @@ describe('Gradle Plugin', () => {
     expect(result).toEqual([
       'snykResolvedDepsJson',
       '-q',
-      `-Pconfiguration=${quot}confRegex${quot}`,
+      `-Pconfiguration=confRegex`,
       '-Dorg.gradle.parallel=',
       '-Dorg.gradle.console=plain',
       '-PonlySubProject=.',
-      '-I /tmp/init.gradle',
+      '-I',
+      '/tmp/init.gradle',
       '--build-file',
       'build.gradle',
     ]);
@@ -69,10 +68,11 @@ describe('Gradle Plugin', () => {
       '-Dorg.gradle.parallel=',
       '-Dorg.gradle.console=plain',
       '-PonlySubProject=.',
-      '-I /tmp/init.gradle',
+      '-I',
+      '/tmp/init.gradle',
       '--build-file',
       'build.gradle',
-      `-Pconfiguration=${quot}^compile$${quot}`,
+      `-Pconfiguration=^compile$`,
     ]);
   });
 
@@ -89,11 +89,11 @@ describe('Gradle Plugin', () => {
         '--no-daemon',
         '-Dorg.gradle.parallel=',
         '-Dorg.gradle.console=plain',
-        '-I /tmp/init.gradle',
+        '-I',
+        '/tmp/init.gradle',
         '--build-file',
         'build.gradle',
-        `-Pconfiguration=${quot}^compile$${quot}`,
-        '', // this is a harmless artifact of argument transformation
+        `-Pconfiguration=^compile$`,
       ]);
     },
     JEST_TIMEOUT,

d730d7630691

fix: quote spawn args

https://github.com/snyk/snyk-docker-pluginShaun SmithOct 21, 2022via ghsa

commit

4 files changed · +15 −6

lib/docker.ts+3 −3 modified

@@ -55,12 +55,12 @@ class Docker {
     targetImage: string,
     options?: DockerOptions,
   ): Promise<subProcess.CmdOutput> {
-    const opts: string[] = ["pull", targetImage];
+    const args: string[] = ["pull", targetImage];
     if (options?.platform) {
-      opts.push(`--platform=${options.platform}`);
+      args.push(`--platform=${options.platform}`);
     }
 
-    return subProcess.execute("docker", opts);
+    return subProcess.execute("docker", args);
   }
 
   public async save(targetImage: string, destination: string) {

lib/sub-process.ts+3 −1 modified

@@ -1,4 +1,5 @@
 import * as childProcess from "child_process";
+import { quoteAll } from "shescape";
 
 export { execute, CmdOutput };
 interface CmdOutput {
@@ -8,13 +9,14 @@ interface CmdOutput {
 
 function execute(
   command: string,
-  args?: string[],
+  args: string[],
   options?,
 ): Promise<CmdOutput> {
   const spawnOptions: any = { shell: true };
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   return new Promise((resolve, reject) => {
     let stdout = "";

package.json+1 −0 modified

@@ -44,6 +44,7 @@
     "gunzip-maybe": "^1.4.2",
     "mkdirp": "^1.0.4",
     "semver": "^7.3.4",
+    "shescape": "1.6.1",
     "snyk-nodejs-lockfile-parser": "1.40.0",
     "snyk-poetry-lockfile-parser": "^1.1.7",
     "tar-stream": "^2.1.0",

.snyk+8 −2 modified

@@ -1,4 +1,10 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.7.1
-ignore: {}
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:shescape:MPL-2.0':
+    - '*':
+        reason: None Given
+        expires: 2122-12-29T08:08:41.608Z
+        created: 2022-11-29T08:08:41.611Z
 patch: {}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000