apaniban
commented
1 year ago We're affected by this too! Could someone help us create a patch ☺️
Open hafeyang opened 1 year ago
apaniban
commented
1 year ago We're affected by this too! Could someone help us create a patch ☺️
apaniban
commented
1 year ago Do we have any updates regarding this? ☺️ Thank you!
theGOTOguy
commented
1 year ago This is not an issue with Alpine, this is an issue with Node's node-alpine images.
To verify, first brew install trivy, then:
$ trivy image alpine:3.17
2023-02-21T04:04:02.910-0500 INFO Vulnerability scanning is enabled
2023-02-21T04:04:02.910-0500 INFO Secret scanning is enabled
2023-02-21T04:04:02.910-0500 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-21T04:04:02.910-0500 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-21T04:04:03.997-0500 INFO Detected OS: alpine
2023-02-21T04:04:03.997-0500 INFO Detecting Alpine vulnerabilities...
2023-02-21T04:04:03.999-0500 INFO Number of language-specific files: 0
alpine:3.17 (alpine 3.17.2)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)Whereas:
$ trivy image node:18-alpine
2023-02-21T04:05:28.357-0500 INFO Vulnerability scanning is enabled
2023-02-21T04:05:28.357-0500 INFO Secret scanning is enabled
2023-02-21T04:05:28.357-0500 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-21T04:05:28.357-0500 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-21T04:05:29.529-0500 INFO Detected OS: alpine
2023-02-21T04:05:29.529-0500 INFO Detecting Alpine vulnerabilities...
2023-02-21T04:05:29.531-0500 INFO Number of language-specific files: 1
2023-02-21T04:05:29.532-0500 INFO Detecting node-pkg vulnerabilities...
node:18-alpine (alpine 3.17.2)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
2023-02-21T04:05:29.537-0500 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Node.js (node-pkg)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │ HIGH │ 4.1.0 │ 4.1.1 │ CVE-2022-25881 affecting package nodejs 16.18.1-2 │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25881 │
└─────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘
It appears that a PR is waiting for approval that will fix this.
PhantomRay
commented
1 year ago @apaniban in your Dockerfile, use this as a workaround:
RUN npm i -g npm
nuhasha
commented
1 year ago I would add to what @PhantomRay mentioned:
in your
Dockerfile
RUN npm install -g npm@9.5.0 && apk del npm
Make sure to remove the old npm installation by adding apk del npm
I used npm v.9.5.0 as its compatible with node.js 18.14.1-r0 that is used by apline3.17
https://nvd.nist.gov/vuln/detail/CVE-2022-25881
http-cache-semantics package should upgrade from 4.1.0 to 4.1.1