Closed wesley-dean-gsa closed 1 month ago
Results of trivy linter (version 0.53.0)
See documentation on https://megalinter.io/7.13.0/descriptors/repository_trivy/
-----------------------------------------------
❌ [ERROR] for workspace /tmp/lint
Linter raw log:
2024-07-10T15:57:45Z INFO Need to update DB
2024-07-10T15:57:45Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-10T15:57:52Z INFO Vulnerability scanning is enabled
2024-07-10T15:57:52Z INFO Misconfiguration scanning is enabled
2024-07-10T15:57:52Z INFO Need to update the built-in policies
2024-07-10T15:57:52Z INFO Downloading the built-in policies...
2024-07-10T15:57:55Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="node_modules"
2024-07-10T15:57:56Z INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-07-10T15:57:56Z INFO Number of language-specific files num=1
2024-07-10T15:57:56Z INFO [npm] Detecting vulnerabilities...
2024-07-10T15:57:56Z INFO Detected config files num=0
package-lock.json (npm)
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ trim │ CVE-2020-7753 │ HIGH │ fixed │ 0.0.1 │ 0.0.3 │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │
│ │ │ │ │ │ │ trim function │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7753 │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
Needs #100 (PR #102) first so we can verify builds still work after updating the dependencies.
A bunch of these are likely to be updated by Dependabot when #96 (PR #97) is done.
A incorrect comment was added to this ticket saying that it could be closed out as all of the GHA dependencies were hash-pinned. That statement was meant for #94 , not this issue.
When #140 is merged, we can run npm audit fix
to bring the Node dependencies up to date.