CVE-2021-3807 & CVE-2021-3918 #1212
Comments
|
We already have yarn resolutions for these in the main Unleash repo. I think a simple way to solve this for the docker distribution is to simply use yarn instead of npm as part of the docker distribution. |
|
A new version has been released and the.mentioned dependencies should be pinned at correct version. Do you mind validating v4.4.5 @erzz ? |
|
Hi again, I have installed Trivy myself, and I still find the two vulnerabilities. I have investigated further and I can confirm that Unleash itself requires I thus investigated a bit further, and discovered that these dependencies are coming through the npm module directly as part of You verify this by simply scanning the alpine image directly: ➜ ~ trivy image node:14-alpine
2022-01-04T22:16:25.447+0100 INFO Detected OS: alpine
2022-01-04T22:16:25.447+0100 INFO Detecting Alpine vulnerabilities...
2022-01-04T22:16:25.447+0100 INFO Number of language-specific files: 1
2022-01-04T22:16:25.447+0100 INFO Detecting node-pkg vulnerabilities...
node:14-alpine (alpine 3.15.0)
==============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | nodejs-ansi-regex: Regular |
| | | | | | expression denial of service |
| | | | | | (ReDoS) matching ANSI escape codes |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 4.1.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918 | CRITICAL | 0.2.3 | 0.4.0 | nodejs-json-schema: Prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+I am not quite sure what to do about it. We could possibly manually upgrade npm as part of the install process. |
|
Seems to be fixed as part of node 16: |
|
Hey there. I'm in the same team as @erzz. After upgrading to As you mentioned this appears to be a lingering issue in npm (source, source). I suppose we just need to wait. |
|
As this is not part of the running unleash artifact, and npm is only used as part of our build, I will assume the attack surface is limited (if present at all?). We could consider upgrading npm as part of the build steps in the Dockerfile, but feels a bit unnecessary. |
|
Agreed that the attack surface is likely minimal... Can test upgrading npm on our side too as we build an image based on yours |
|
We remove the local npm folder as part of the newest unleash-server release (v4.6.1). No more issues: ➜ ~ trivy image unleashorg/unleash-server:4.6.1
2022-02-01T12:18:40.543+0100 INFO Detected OS: alpine
2022-02-01T12:18:40.543+0100 INFO Detecting Alpine vulnerabilities...
2022-02-01T12:18:40.544+0100 INFO Number of language-specific files: 1
2022-02-01T12:18:40.544+0100 INFO Detecting node-pkg vulnerabilities...
unleashorg/unleash-server:4.6.1 (alpine 3.15.0)
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Node.js (node-pkg)
==================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) |
Any chance you guys can release a new docker image with the following dependency issues resolved?
(Trivy scan results for 4.4.4) 👇🏻
The text was updated successfully, but these errors were encountered: