Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Img scan failing in Tekton pipeline due to critical vulnerability in 'static-eval' #30

Closed
rubengmz opened this issue May 11, 2021 · 0 comments
Closed

Img scan failing in Tekton pipeline due to critical vulnerability in 'static-eval' #30

rubengmz opened this issue May 11, 2021 · 0 comments

Comments

@rubengmz
Copy link

We have been using this template for quick demos for a while, but the tekton pipeline isn't working now due to a Image vulnerability related to static-eval.

static-eval

Looking into the package-lock.json we saw this is a dependency coming from ibm-cloud-env > jsonpath

From static-eval codebase (https://github.com/browserify/static-eval) we can see also there is a recent commit mention that it could cause security problems.

They have an issue open (browserify/static-eval#34) taking about CVE was going to revoke the vulnerability but still happen two months later.

We tried to fix dependecy manually but the problem is CVE says all versions are vulnerable: https://avd.aquasec.com/nvd/cve-2021-23334/

Any workaround that we could use to sort this problem out? Not sure if you have more recent templates for NodeJs or Angular project
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NoeSamaille @rubengmz