Use Trivy to identify and resolve container vulnerabilities

ian-noaa commented 3 years ago

Use the standalone Trivy container scanning tool to identify vulnerabilities in the MATS & METexpress container images. Trivy's docs can be found here.

ian-noaa commented 3 years ago

Alright. To get started on Mac you can do:

$ brew install aquasecurity/trivy/trivy
$ trivy image  matsapps/production:precipitation24hr-4.1.2
2021-08-12T14:32:31.368-0500    INFO    Detected OS: alpine
2021-08-12T14:32:31.368-0500    INFO    Detecting Alpine vulnerabilities...
2021-08-12T14:32:31.373-0500    INFO    Number of language-specific files: 0

matsapps/production:precipitation24hr-4.1.2 (alpine 3.12.0)
===========================================================
Total: 11 (UNKNOWN: 1, LOW: 0, MEDIUM: 7, HIGH: 3, CRITICAL: 0)

+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools        | CVE-2021-30139   | HIGH     | 2.10.5-r1         | 2.10.6-r0     | In Alpine Linux apk-tools             |
|                  |                  |          |                   |               | before 2.12.5, the tarball            |
|                  |                  |          |                   |               | parser allows a buffer...             |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-30139 |
+                  +------------------+----------+                   +---------------+---------------------------------------+
|                  | CVE-2021-36159   | UNKNOWN  |                   | 2.10.7-r0     | libfetch before 2021-07-26, as        |
|                  |                  |          |                   |               | used in apk-tools, xbps, and          |
|                  |                  |          |                   |               | other products, mishandles...         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| busybox          | CVE-2021-28831   | HIGH     | 1.31.1-r16        | 1.31.1-r20    | busybox: invalid free or segmentation |
|                  |                  |          |                   |               | fault via malformed gzip data         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| mariadb-common   | CVE-2021-2372    | MEDIUM   | 10.4.19-r0        | 10.4.21-r0    | mysql: InnoDB unspecified             |
|                  |                  |          |                   |               | vulnerability (CPU Jul 2021)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-2372  |
+                  +------------------+          +                   +               +---------------------------------------+
|                  | CVE-2021-2389    |          |                   |               | mysql: InnoDB unspecified             |
|                  |                  |          |                   |               | vulnerability (CPU Jul 2021)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-2389  |
+------------------+------------------+          +                   +               +---------------------------------------+
| mariadb-dev      | CVE-2021-2372    |          |                   |               | mysql: InnoDB unspecified             |
|                  |                  |          |                   |               | vulnerability (CPU Jul 2021)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-2372  |
+                  +------------------+          +                   +               +---------------------------------------+
|                  | CVE-2021-2389    |          |                   |               | mysql: InnoDB unspecified             |
|                  |                  |          |                   |               | vulnerability (CPU Jul 2021)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-2389  |
+------------------+------------------+          +                   +               +---------------------------------------+
| mariadb-embedded | CVE-2021-2372    |          |                   |               | mysql: InnoDB unspecified             |
|                  |                  |          |                   |               | vulnerability (CPU Jul 2021)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-2372  |
+                  +------------------+          +                   +               +---------------------------------------+
|                  | CVE-2021-2389    |          |                   |               | mysql: InnoDB unspecified             |
|                  |                  |          |                   |               | vulnerability (CPU Jul 2021)          |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-2389  |
+------------------+------------------+          +-------------------+---------------+---------------------------------------+
| musl-utils       | CVE-2020-28928   |          | 1.1.24-r8         | 1.1.24-r10    | In musl libc through 1.2.1,           |
|                  |                  |          |                   |               | wcsnrtombs mishandles particular      |
|                  |                  |          |                   |               | combinations of destination buffer... |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client       | CVE-2021-28831   | HIGH     | 1.31.1-r16        | 1.31.1-r20    | busybox: invalid free or segmentation |
|                  |                  |          |                   |               | fault via malformed gzip data         |
|                  |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+------------------+------------------+----------+-------------------+---------------+---------------------------------------+

ian-noaa commented 3 years ago

Updating the base image we use to build our containers appears to resolve the container vulnerabilities.

However, scanning the repo itself reveals some issues with the dependencies specified in our package-lock.json files.

$ trivy repo https://github.com/NOAA-GSL/MATS
2021-08-13T15:19:32.663-0500    [34mINFO[0m   Number of language-specific files: 24
2021-08-13T15:19:32.664-0500    [34mINFO[0m   Detecting npm vulnerabilities...
2021-08-13T15:19:32.695-0500    [34mINFO[0m   Detecting yarn vulnerabilities...

appProductionStatus/package-lock.json (npm)
===========================================
Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 5, CRITICAL: 0)

+----------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| LIBRARY  |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |        FIXED VERSION        |                    TITLE                     |
+----------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| bcrypt   | CVE-2020-7689       | HIGH     | 1.0.3             | 5.0.0                       | Integer Overflow or Wraparound               |
|          |                     |          |                   |                             | and Use of a Broken or                       |
|          |                     |          |                   |                             | Risky Cryptographic...                       |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-7689         |
+----------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| elliptic | CVE-2020-13822      |          | 6.3.2             | 6.5.3                       | nodejs-elliptic: improper encoding           |
|          |                     |          |                   |                             | checks allows a certain degree               |
|          |                     |          |                   |                             | of signature malleability in...              |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-13822        |
+          +---------------------+----------+                   +-----------------------------+----------------------------------------------+
|          | CVE-2020-28498      | MEDIUM   |                   | 6.5.4                       | Use of a Broken or Risky                     |
|          |                     |          |                   |                             | Cryptographic Algorithm                      |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-28498        |
+----------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| ini      | CVE-2020-7788       | HIGH     | 1.3.5             | 1.3.6                       | nodejs-ini: prototype pollution              |
|          |                     |          |                   |                             | via malicious INI file                       |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-7788         |
+----------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| minimist | CVE-2020-7598       | MEDIUM   | 0.0.8             | 1.2.3, 0.2.1                | nodejs-minimist: prototype                   |
|          |                     |          |                   |                             | pollution allows adding                      |
|          |                     |          |                   |                             | or modifying properties of                   |
|          |                     |          |                   |                             | Object.prototype using a...                  |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-7598         |
+          +---------------------+          +                   +-----------------------------+----------------------------------------------+
|          | GHSA-7fhm-mqm4-2wp7 |          |                   | 1.2.2                       | Withdrawn: ESLint dependencies are           |
|          |                     |          |                   |                             | vulnerable (ReDoS and Prototype Pollution)   |
|          |                     |          |                   |                             | -->github.com/advisories/GHSA-7fhm-mqm4-2wp7 |
+          +---------------------+          +-------------------+-----------------------------+----------------------------------------------+
|          | CVE-2020-7598       |          | 1.2.0             | 1.2.3, 0.2.1                | nodejs-minimist: prototype                   |
|          |                     |          |                   |                             | pollution allows adding                      |
|          |                     |          |                   |                             | or modifying properties of                   |
|          |                     |          |                   |                             | Object.prototype using a...                  |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-7598         |
+          +---------------------+          +                   +-----------------------------+----------------------------------------------+
|          | GHSA-7fhm-mqm4-2wp7 |          |                   | 1.2.2                       | Withdrawn: ESLint dependencies are           |
|          |                     |          |                   |                             | vulnerable (ReDoS and Prototype Pollution)   |
|          |                     |          |                   |                             | -->github.com/advisories/GHSA-7fhm-mqm4-2wp7 |
+----------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| tar      | CVE-2021-32803      | HIGH     | 2.2.2             | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: extracting                       |
|          |                     |          |                   |                             | arbitrary allowing arbitrary                 |
|          |                     |          |                   |                             | file creation and overwrite                  |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32803        |
+          +---------------------+          +                   +-----------------------------+----------------------------------------------+
|          | CVE-2021-32804      |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: arbitrary File                   |
|          |                     |          |                   |                             | Creation/Overwrite vulnerability             |
|          |                     |          |                   |                             | via insufficient symlink protection          |
|          |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32804        |
+----------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+

apps/aircraft/package-lock.json (npm)
=====================================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 2, CRITICAL: 0)

+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| LIBRARY |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |    FIXED VERSION    |                    TITLE                     |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| acorn   | GHSA-7fhm-mqm4-2wp7 | MEDIUM   | 2.7.0             | 7.1.1, 6.4.1, 5.7.4 | Withdrawn: ESLint dependencies are           |
|         |                     |          |                   |                     | vulnerable (ReDoS and Prototype Pollution)   |
|         |                     |          |                   |                     | -->github.com/advisories/GHSA-7fhm-mqm4-2wp7 |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| jquery  | NSWG-ECO-328        | HIGH     | 2.2.4             | >=3.0.0             | Cross-Site Scripting (XSS)                   |
+         +---------------------+----------+                   +---------------------+----------------------------------------------+
|         | CVE-2015-9251       | MEDIUM   |                   | 3.0.0               | jquery: Cross-site scripting                 |
|         |                     |          |                   |                     | via cross-domain ajax requests               |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2015-9251         |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2016-10707      |          |                   |                     | Exceeding Stack Call Limit DoS               |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2016-10707        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2019-11358      |          |                   | 3.4.0               | jquery: Prototype pollution in               |
|         |                     |          |                   |                     | object's prototype leading to                |
|         |                     |          |                   |                     | denial of service, remote...                 |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-11358        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2020-11022      |          |                   | 3.5.0               | jquery: Cross-site                           |
|         |                     |          |                   |                     | scripting due to improper                    |
|         |                     |          |                   |                     | injQuery.htmlPrefilter method                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-11022        |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2020-11023      |          |                   |                     | jquery: Passing HTML containing              |
|         |                     |          |                   |                     | <option> elements to manipulation            |
|         |                     |          |                   |                     | methods could result in...                   |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-11023        |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| jspdf   | CVE-2021-23353      | HIGH     | 1.4.1             | 2.3.1               | Regular Expression                           |
|         |                     |          |                   |                     | Denial of Service (ReDoS)                    |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-23353        |
+         +---------------------+----------+                   +---------------------+----------------------------------------------+
|         | CVE-2020-7690       | MEDIUM   |                   | 2.0.0               | Cross-site scripting in jspdf                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7690         |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2020-7691       |          |                   |                     | Cross-site scripting in jspdf                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7691         |
+---------+---------------------+          +-------------------+---------------------+----------------------------------------------+
| xmldom  | CVE-2021-21366      |          | 0.1.27            | 0.5.0               | Misinterpretation of                         |
|         |                     |          |                   |                     | malicious XML input                          |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-21366        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2021-32796      |          |                   | 0.7.0               | nodejs-xmldom: misinterpretation             |
|         |                     |          |                   |                     | of malicious XML input                       |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-32796        |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+

apps/anomalycor/package-lock.json (npm)
=======================================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 2, CRITICAL: 0)

+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| LIBRARY |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |    FIXED VERSION    |                    TITLE                     |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| acorn   | GHSA-7fhm-mqm4-2wp7 | MEDIUM   | 2.7.0             | 7.1.1, 6.4.1, 5.7.4 | Withdrawn: ESLint dependencies are           |
|         |                     |          |                   |                     | vulnerable (ReDoS and Prototype Pollution)   |
|         |                     |          |                   |                     | -->github.com/advisories/GHSA-7fhm-mqm4-2wp7 |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| jquery  | NSWG-ECO-328        | HIGH     | 2.2.4             | >=3.0.0             | Cross-Site Scripting (XSS)                   |
+         +---------------------+----------+                   +---------------------+----------------------------------------------+
|         | CVE-2015-9251       | MEDIUM   |                   | 3.0.0               | jquery: Cross-site scripting                 |
|         |                     |          |                   |                     | via cross-domain ajax requests               |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2015-9251         |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2016-10707      |          |                   |                     | Exceeding Stack Call Limit DoS               |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2016-10707        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2019-11358      |          |                   | 3.4.0               | jquery: Prototype pollution in               |
|         |                     |          |                   |                     | object's prototype leading to                |
|         |                     |          |                   |                     | denial of service, remote...                 |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-11358        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2020-11022      |          |                   | 3.5.0               | jquery: Cross-site                           |
|         |                     |          |                   |                     | scripting due to improper                    |
|         |                     |          |                   |                     | injQuery.htmlPrefilter method                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-11022        |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2020-11023      |          |                   |                     | jquery: Passing HTML containing              |
|         |                     |          |                   |                     | <option> elements to manipulation            |
|         |                     |          |                   |                     | methods could result in...                   |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-11023        |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| jspdf   | CVE-2021-23353      | HIGH     | 1.4.1             | 2.3.1               | Regular Expression                           |
|         |                     |          |                   |                     | Denial of Service (ReDoS)                    |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-23353        |
+         +---------------------+----------+                   +---------------------+----------------------------------------------+
|         | CVE-2020-7690       | MEDIUM   |                   | 2.0.0               | Cross-site scripting in jspdf                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7690         |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2020-7691       |          |                   |                     | Cross-site scripting in jspdf                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7691         |
+---------+---------------------+          +-------------------+---------------------+----------------------------------------------+
| xmldom  | CVE-2021-21366      |          | 0.1.27            | 0.5.0               | Misinterpretation of                         |
|         |                     |          |                   |                     | malicious XML input                          |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-21366        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2021-32796      |          |                   | 0.7.0               | nodejs-xmldom: misinterpretation             |
|         |                     |          |                   |                     | of malicious XML input                       |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-32796        |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+

...etc...

tests/yarn.lock (yarn)
======================
Total: 25 (UNKNOWN: 0, LOW: 0, MEDIUM: 12, HIGH: 13, CRITICAL: 0)

+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
|     LIBRARY     |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |       FIXED VERSION        |                    TITLE                     |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| axios           | CVE-2020-28168      | MEDIUM   | 0.19.2            | 0.21.1                     | nodejs-axios: allows an attacker to          |
|                 |                     |          |                   |                            | bypass a proxy by providing a URL...         |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-28168        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| bl              | CVE-2020-8244       |          | 4.0.2             | 2.2.1, 1.2.3, 4.0.3, 3.0.1 | nodejs-bl: buffer over-read                  |
|                 |                     |          |                   |                            | vulnerability leads to corrupted             |
|                 |                     |          |                   |                            | BufferList which can result in...            |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-8244         |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| browserslist    | CVE-2021-23364      |          | 4.13.0            | 4.16.5                     | browserslist: parsing of                     |
|                 |                     |          |                   |                            | invalid queries could result in              |
|                 |                     |          |                   |                            | Regular Expression Denial of...              |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-23364        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| color-string    | CVE-2021-29060      |          | 1.5.3             | 1.5.5                      | nodejs-color-string: Regular                 |
|                 |                     |          |                   |                            | expression denial of service when            |
|                 |                     |          |                   |                            | the application is provided and...           |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-29060        |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| ecstatic        | CVE-2019-10775      | HIGH     | 3.3.2             | 4.1.3                      | Denial of Service in ecstatic                |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2019-10775        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| glob-parent     | CVE-2020-28469      |          | 3.1.0             | 5.1.2                      | nodejs-glob-parent: Regular                  |
|                 |                     |          |                   |                            | expression denial of service                 |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-28469        |
+                 +                     +          +-------------------+                            +                                              +
|                 |                     |          | 5.1.1             |                            |                                              |
|                 |                     |          |                   |                            |                                              |
|                 |                     |          |                   |                            |                                              |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| hosted-git-info | CVE-2021-23362      | MEDIUM   | 2.8.8             | 2.8.9, 3.0.8               | nodejs-hosted-git-info: Regular              |
|                 |                     |          |                   |                            | Expression denial of service                 |
|                 |                     |          |                   |                            | via shortcutMatch in fromUrl()               |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-23362        |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| js-yaml         | GHSA-8j8c-7jfh-h6hx | HIGH     | 0.3.7             | 3.13.1                     | Code Injection in js-yaml                    |
|                 |                     |          |                   |                            | -->github.com/advisories/GHSA-8j8c-7jfh-h6hx |
+                 +---------------------+----------+                   +----------------------------+----------------------------------------------+
|                 | CVE-2013-4660       | MEDIUM   |                   | 2.0.5                      | Deserialization Code Execution               |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2013-4660         |
+                 +---------------------+          +                   +----------------------------+----------------------------------------------+
|                 | GHSA-2pr6-76vf-7546 |          |                   | 3.13.0                     | Denial of Service in js-yaml                 |
|                 |                     |          |                   |                            | -->github.com/advisories/GHSA-2pr6-76vf-7546 |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| lodash          | CVE-2021-23337      | HIGH     | 4.17.19           | 4.17.21                    | nodejs-lodash: command                       |
|                 |                     |          |                   |                            | injection via template                       |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-23337        |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| node-notifier   | CVE-2020-7789       | MEDIUM   | 6.0.0             | 8.0.1                      | nodejs-node-notifier: command                |
|                 |                     |          |                   |                            | injection due to the options                 |
|                 |                     |          |                   |                            | params not being sanitised when...           |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-7789         |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| normalize-url   | CVE-2021-33502      | HIGH     | 4.5.0             | 4.5.1, 6.0.1, 5.3.1        | normalize-url: ReDoS for data URLs           |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-33502        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| path-parse      | CVE-2021-23343      |          | 1.0.6             | 1.0.7                      | nodejs-path-parse:                           |
|                 |                     |          |                   |                            | ReDoS via splitDeviceRe,                     |
|                 |                     |          |                   |                            | splitTailRe and splitPathRe                  |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-23343        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| timespan        | CVE-2017-16115      |          | 2.3.0             |                            | Regular Expression Denial                    |
|                 |                     |          |                   |                            | of Service in timespan                       |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2017-16115        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| ua-parser-js    | CVE-2020-7733       |          | 0.7.21            | 0.7.22                     | nodejs-ua-parser-js:                         |
|                 |                     |          |                   |                            | Regular expression denial                    |
|                 |                     |          |                   |                            | of service via the regex                     |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-7733         |
+                 +---------------------+          +                   +----------------------------+----------------------------------------------+
|                 | CVE-2021-27292      |          |                   | 0.7.24                     | nodejs-ua-parser-js: ReDoS via               |
|                 |                     |          |                   |                            | malicious User-Agent header                  |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-27292        |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| uglify-js       | CVE-2015-8857       |          | 1.3.5             | 2.4.24                     | Incorrect Handling of Non-Boolean            |
|                 |                     |          |                   |                            | Comparisons During Minification              |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2015-8857         |
+                 +---------------------+----------+                   +----------------------------+----------------------------------------------+
|                 | CVE-2015-8858       | MEDIUM   |                   | 2.6.0                      | Regular Expression Denial of Service         |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2015-8858         |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| urijs           | CVE-2021-27516      | HIGH     | 1.19.2            | 1.19.6                     | nodejs-urijs: mishandling certain            |
|                 |                     |          |                   |                            | uses of backslash may lead                   |
|                 |                     |          |                   |                            | to confidentiality compromise                |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-27516        |
+                 +---------------------+----------+                   +----------------------------+----------------------------------------------+
|                 | CVE-2020-26291      | MEDIUM   |                   | 1.19.4                     | urijs: Hostname spoofing                     |
|                 |                     |          |                   |                            | via backslashes in URL                       |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-26291        |
+                 +---------------------+          +                   +----------------------------+----------------------------------------------+
|                 | CVE-2021-3647       |          |                   | 1.19.7                     | Hostname spoofing via                        |
|                 |                     |          |                   |                            | backslashes in URL                           |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-3647         |
+-----------------+---------------------+          +-------------------+----------------------------+----------------------------------------------+
| ws              | CVE-2021-32640      |          | 7.3.1             | 5.2.3, 6.2.2, 7.4.6        | nodejs-ws: Specially crafted value           |
|                 |                     |          |                   |                            | of the `Sec-Websocket-Protocol`              |
|                 |                     |          |                   |                            | header can be used to...                     |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2021-32640        |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+
| y18n            | CVE-2020-7774       | HIGH     | 4.0.0             | 5.0.5, 4.0.1, 3.2.2        | nodejs-y18n: prototype                       |
|                 |                     |          |                   |                            | pollution vulnerability                      |
|                 |                     |          |                   |                            | -->avd.aquasec.com/nvd/cve-2020-7774         |
+-----------------+---------------------+----------+-------------------+----------------------------+----------------------------------------------+

ian-noaa commented 3 years ago

@randytpierce - I did a meteor npm update in the aircraft app to see what would be proposed and am getting the following diff for the package.json file.

diff --git a/apps/aircraft/package.json b/apps/aircraft/package.json
index 5855a53f6..e3eb2d277 100644
--- a/apps/aircraft/package.json
+++ b/apps/aircraft/package.json
@@ -5,18 +5,18 @@
     "start": "meteor run"
   },
   "dependencies": {
-    "@babel/runtime": "^7.14.6",
-    "bootstrap": "^4.5.2",
-    "chai": "^4.2.0",
+    "@babel/runtime": "^7.15.3",
+    "bootstrap": "^4.6.0",
+    "chai": "^4.3.4",
     "downsample-lttb": "git+https://github.com/pingec/downsample-lttb.git",
     "fibers": "^5.0.0",
-    "fs-extra": "^7.0.0",
-    "html2canvas": "^1.0.0-rc.7",
+    "fs-extra": "^7.0.1",
+    "html2canvas": "^1.3.0",
     "jquery": "^2.2.4",
-    "jspdf": "^1.4.1",
+    "jspdf": "^1.5.3",
     "modules": "^0.4.0",
-    "object-hash": "^1.3.0",
-    "object-sizeof": "^1.2.0",
+    "object-hash": "^1.3.1",
+    "object-sizeof": "^1.6.1",
     "popper.js": "^1.16.1",
     "xmlbuilder": "^10.1.1"
   }

Even with these updates, we're still getting some high severity vulnerabilities:

$ trivy fs ./apps/aircraft/
2021-08-13T16:49:04.291-0500    INFO    Number of language-specific files: 1
2021-08-13T16:49:04.291-0500    INFO    Detecting npm vulnerabilities...

package-lock.json (npm)
=======================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 10, HIGH: 2, CRITICAL: 0)

+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| LIBRARY |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |    FIXED VERSION    |                    TITLE                     |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| acorn   | GHSA-7fhm-mqm4-2wp7 | MEDIUM   | 2.7.0             | 7.1.1, 6.4.1, 5.7.4 | Withdrawn: ESLint dependencies are           |
|         |                     |          |                   |                     | vulnerable (ReDoS and Prototype Pollution)   |
|         |                     |          |                   |                     | -->github.com/advisories/GHSA-7fhm-mqm4-2wp7 |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| jquery  | NSWG-ECO-328        | HIGH     | 2.2.4             | >=3.0.0             | Cross-Site Scripting (XSS)                   |
+         +---------------------+----------+                   +---------------------+----------------------------------------------+
|         | CVE-2015-9251       | MEDIUM   |                   | 3.0.0               | jquery: Cross-site scripting                 |
|         |                     |          |                   |                     | via cross-domain ajax requests               |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2015-9251         |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2016-10707      |          |                   |                     | Exceeding Stack Call Limit DoS               |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2016-10707        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2019-11358      |          |                   | 3.4.0               | jquery: Prototype pollution in               |
|         |                     |          |                   |                     | object's prototype leading to                |
|         |                     |          |                   |                     | denial of service, remote...                 |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2019-11358        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2020-11022      |          |                   | 3.5.0               | jquery: Cross-site                           |
|         |                     |          |                   |                     | scripting due to improper                    |
|         |                     |          |                   |                     | injQuery.htmlPrefilter method                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-11022        |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2020-11023      |          |                   |                     | jquery: Passing HTML containing              |
|         |                     |          |                   |                     | <option> elements to manipulation            |
|         |                     |          |                   |                     | methods could result in...                   |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-11023        |
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+
| jspdf   | CVE-2021-23353      | HIGH     | 1.5.3             | 2.3.1               | Regular Expression                           |
|         |                     |          |                   |                     | Denial of Service (ReDoS)                    |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-23353        |
+         +---------------------+----------+                   +---------------------+----------------------------------------------+
|         | CVE-2020-7690       | MEDIUM   |                   | 2.0.0               | Cross-site scripting in jspdf                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7690         |
+         +---------------------+          +                   +                     +----------------------------------------------+
|         | CVE-2020-7691       |          |                   |                     | Cross-site scripting in jspdf                |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2020-7691         |
+---------+---------------------+          +-------------------+---------------------+----------------------------------------------+
| xmldom  | CVE-2021-21366      |          | 0.1.31            | 0.5.0               | Misinterpretation of                         |
|         |                     |          |                   |                     | malicious XML input                          |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-21366        |
+         +---------------------+          +                   +---------------------+----------------------------------------------+
|         | CVE-2021-32796      |          |                   | 0.7.0               | nodejs-xmldom: misinterpretation             |
|         |                     |          |                   |                     | of malicious XML input                       |
|         |                     |          |                   |                     | -->avd.aquasec.com/nvd/cve-2021-32796
+---------+---------------------+----------+-------------------+---------------------+----------------------------------------------+

Do you see any issues with upgrading Acorn to 7.1.1/6.4.1/5.7.4, JQuery to >3.5, jspdf to >2.3.1, and xmldom to >0.7.0? I'm planning on giving it a try Monday to see what happens but I remember hearing the team had some issues updating JQuery in the past.

mollybsmith-noaa commented 3 years ago

I definitely remember that last time we tried to update JQuery it broke something in MATS, but I don't remember specifically what, so go for it and let's see hat happens.

ian-noaa commented 3 years ago

Container image vulnerabilities were resolved in #635.

NPM vulnerabilities will be addressed in #624.

NOAA-GSL / MATS

Use Trivy to identify and resolve container vulnerabilities #613