search

arangodb / arangodb-docker

Docker container for ArangoDB
Apache License 2.0
106 stars 32 forks source link

Trivy findings in latest version #112

Closed paddyez closed 1 year ago

paddyez commented 1 year ago

Are there any plans to resolve this? Can I help?


│         Library          │ Vulnerability  │ Severity │ Installed Version │                      Fixed Version                      │                          Title                           │
├──────────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ minimatch (package.json) │ CVE-2022-3517  │ HIGH     │ 3.0.4             │ 3.0.5                                                   │ nodejs-minimatch: ReDoS via the braceExpand function     │
│                          │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-3517                │
├──────────────────────────┼────────────────┤          ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ qs (package.json)        │ CVE-2022-24999 │          │ 6.10.1            │ 6.2.4, 6.3.3, 6.4.1, 6.5.3, 6.6.1, 6.7.3, 6.8.3, 6.9.7, │ express: "qs" prototype poisoning causes the hang of the │
│                          │                │          │                   │ 6.10.3                                                  │ node process                                             │
│                          │                │          │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2022-24999               │
└──────────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────┘
paddyez commented 1 year ago

New CVE

http-cache-semantics (package.json) │ CVE-2022-25881 │ HIGH │ 4.1.0 │ 4.1.1 │ CVE-2022-25881 affecting package nodejs 16.18.1-2 https://avd.aquasec.com/nvd/cve-2022-25881

dothebart commented 1 year ago

Hi, yes, this is WIP - https://github.com/arangodb/arangodb/pull/17678/files

paddyez commented 1 year ago

Because auf arangodb:3.10.5