coveo-search-ui
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:patch-package | AI (phantom-deps): phantom-dep rules cannot auto-block per policy; flagged in rationale instead. | ai | |
| source-diff | obfuscated-file:bin/js/AdvancedSearch.min__68495910d636fb25ab11.js | AI (source-diff): Coveo webpack minified build artifacts; consistent with legitimate UI framework build output. | ai | |
| source-diff | net-exec-file:bin/js/Badge__77bc49e2a0599a34d1cd.js | AI (source-diff): Webpack bundle with network calls is standard for a search UI framework; no actual dropper behavior in sample. | ai | |
| phantom-deps | phantom-dep:xregexp | AI (phantom-deps): xregexp is a legitimate regex library bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:d3-scale | AI (phantom-deps): d3-scale is a legitimate d3 sub-module bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:dompurify | AI (phantom-deps): dompurify is a legitimate HTML sanitization library bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:modal-box | AI (phantom-deps): modal-box is bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:popper.js | AI (phantom-deps): popper.js is a legitimate tooltip/popover library bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:d3 | AI (phantom-deps): coveo-search-ui bundles dependencies via webpack into pre-built output; d3 is a legitimate charting library bundled at build time, not imported via ES module syntax. | ai | |
| phantom-deps | phantom-dep:jstimezonedetect | AI (phantom-deps): jstimezonedetect is a legitimate timezone detection library bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:exponential-backoff | AI (phantom-deps): exponential-backoff is a legitimate retry utility bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval usage is in bin/docgen/assets/js/main.js, a bundled documentation asset (jQuery/template engine), not the main library runtime. Stable false positive for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() usage is in bin/docgen/assets/js/main.js, a bundled documentation asset. Standard pattern in template engines; not in the main library runtime. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in gulpTasks/buildUtilities.js, a build tool file. Standard pattern for gulp-based build systems; not executed at install or runtime. | ai | |
| phantom-deps | phantom-dep:coveo.analytics | AI (phantom-deps): coveo.analytics is Coveo's own analytics library bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): moment is a legitimate date library bundled into the pre-built output by webpack; phantom-dep fires because source uses bundled rather than ES module imports. | ai | |
| phantom-deps | phantom-dep:pikaday | AI (phantom-deps): pikaday is a legitimate datepicker bundled into the pre-built output; phantom-dep is a false positive for this bundled UI framework. | ai |
v2.10125.2
11 findingsDeclared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.10113.0
12 findingsDeclared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.