Closed jsjoeio closed 2 years ago
thank you @jsjoeio for creating issue on behalf of me..
Hmmm... I ran our audit tool yarn _audit
and don't see anything reported:
➜ code-server git:(main) yarn _audit
yarn run v1.22.11
$ ./ci/dev/audit.sh
$ /Users/jp/Dev/coder/code-server/node_modules/.bin/audit-ci --moderate
audit-ci version: 4.1.0
Yarn audit report results:
{
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 689,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 689
}
Passed yarn security audit.
✨ Done in 5.55s.
I also ran yarn audit
in /vendor
and don't see anything:
➜ code-server git:(main) cd vendor
➜ vendor git:(main) ls
modules package.json postinstall.sh yarn.lock
➜ vendor git:(main) yarn audit
yarn audit v1.22.11
0 vulnerabilities found - Packages audited: 243
✨ Done in 0.92s.
And if I run yarn why pac-resolver
in /vendor
, I don't get anything:
➜ vendor git:(main) yarn why pac-resolver
yarn why v1.22.11
[1/4] 🤔 Why do we have the module "pac-resolver"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
error We couldn't find a match!
✨ Done in 0.61s.
I also checked in our fork and don't see anything 🤔
➜ vscode git:(code-server) yarn why pac-resolver
yarn why v1.22.11
[1/4] 🤔 Why do we have the module "pac-resolver"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
error We couldn't find a match!
✨ Done in 2.34s.
Maybe this has been fixed or something I'm doing something wrong. Any ideas @TeffenEllis @code-asher ?
Hello @jsjoeio , Do you need more information on this.
@manoharsjoshi - yes if you don't mind! I am wondering if it's been fixed already. I couldn't reproduce or find it using main
or code-server
in the VS Code fork repo.
I'll take a look with trivy
@jsjoeio I actually found a quite extensive list of vulns in vendor
using trivy
:
modules/code-oss-dev/build/lib/watch/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/build/win32/Cargo.lock
===========================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
| term | RUSTSEC-2018-0015 | UNKNOWN | 0.4.6 | | term is looking for a new maintainer |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0015 |
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
modules/code-oss-dev/build/yarn.lock
====================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| nth-check | CVE-2021-3803 | HIGH | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+------------+------------------+ +-------------------+---------------+---------------------------------------+
| underscore | CVE-2021-23358 | | 1.8.3 | 1.12.1 | nodejs-underscore: Arbitrary code |
| | | | | | execution via the template function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 |
+ + + +-------------------+ + +
| | | | 1.9.1 | | |
| | | | | | |
| | | | | | |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmldom | CVE-2021-21366 | MEDIUM | 0.1.31 | 0.5.0 | Misinterpretation of |
| | | | | | malicious XML input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21366 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-32796 | | | | nodejs-xmldom: misinterpretation |
| | | | | | of malicious XML input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32796 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/extensions/bat/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/clojure/yarn.lock
=================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/coffeescript/yarn.lock
======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/configuration-editing/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/cpp/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/csharp/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/css-language-features/server/yarn.lock
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/css-language-features/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/css/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/debug-auto-launch/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/debug-server-ready/yarn.lock
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/docker/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/emmet/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/extension-editing/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/fsharp/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/git/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/github-authentication/yarn.lock
===============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| axios | CVE-2021-3749 | HIGH | 0.21.1 | 0.21.2 | nodejs-axios: Regular expression |
| | | | | | denial of service in trim function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3749 |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
modules/code-oss-dev/extensions/github/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/go/yarn.lock
============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/groovy/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/grunt/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/gulp/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/handlebars/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/hlsl/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/html-language-features/server/yarn.lock
=======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/html-language-features/yarn.lock
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/html/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/image-preview/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/ini/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/ipynb/yarn.lock
===============================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| url-parse | CVE-2021-27515 | MEDIUM | 1.4.7 | 1.5.0 | nodejs-url-parse: mishandling |
| | | | | | certain uses of backslash may |
| | | | | | lead to confidentiality compromise |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27515 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-3664 | | | 1.5.2 | nodejs-url-parse: URL |
| | | | | | Redirection to Untrusted Site |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3664 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/extensions/jake/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/java/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/javascript/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/json-language-features/server/yarn.lock
=======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/json-language-features/yarn.lock
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/json/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/less/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/log/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/lua/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/make/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/markdown-basics/yarn.lock
=========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/markdown-language-features/yarn.lock
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/markdown-math/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/merge-conflict/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/microsoft-authentication/yarn.lock
==================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/npm/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/objective-c/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/perl/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/php-language-features/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/php/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/powershell/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/pug/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/python/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/r/yarn.lock
===========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/razor/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/ruby/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/rust/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/scss/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/search-result/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/shaderlab/yarn.lock
===================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/shellscript/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/simple-browser/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/sql/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/swift/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-abyss/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-defaults/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-kimbie-dark/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-monokai-dimmed/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-monokai/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-quietlight/yarn.lock
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-red/yarn.lock
===================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-seti/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-solarized-dark/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-solarized-light/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-tomorrow-night-blue/yarn.lock
===================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/typescript-basics/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/typescript-language-features/yarn.lock
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vb/yarn.lock
============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-api-tests/yarn.lock
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-colorize-tests/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-custom-editor-tests/yarn.lock
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-notebook-tests/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-test-resolver/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/xml/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/yaml/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/remote/web/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/remote/yarn.lock
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/automation/yarn.lock
==============================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| hosted-git-info | CVE-2021-23362 | MEDIUM | 2.8.8 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular |
| | | | | | Expression denial of service |
| | | | | | via shortcutMatch in fromUrl() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| merge | CVE-2020-28499 | CRITICAL | 1.2.1 | 2.1.1 | Prototype Pollution in merge |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28499 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| minimist | CVE-2020-7598 | MEDIUM | 1.2.0 | 1.2.3, 0.2.1 | nodejs-minimist: prototype |
| | | | | | pollution allows adding |
| | | | | | or modifying properties of |
| | | | | | Object.prototype using a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| path-parse | CVE-2021-23343 | HIGH | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/test/integration/browser/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/leaks/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/monaco/yarn.lock
==========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/smoke/yarn.lock
=========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| merge | CVE-2020-28499 | CRITICAL | 1.2.1 | 2.1.1 | Prototype Pollution in merge |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28499 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/yarn.lock
==============================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 10, CRITICAL: 1)
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 4.1.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| glob-parent | CVE-2020-28469 | | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| nth-check | CVE-2021-3803 | | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| set-value | CVE-2021-23440 | CRITICAL | 2.0.1 | 4.0.1 | nodejs-set-value: type confusion |
| | | | | | allows bypass of CVE-2019-10747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23440 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| tar | CVE-2021-32803 | HIGH | 2.2.2 | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink |
| | | | | | protection allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-32804 | | | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute |
| | | | | | path sanitization allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37701 | | | 6.1.7, 5.0.8, 4.4.16 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37712 | | | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37713 | | | | Arbitrary File Creation/Overwrite |
| | | | | | on Windows via insufficient |
| | | | | | relative path sanitization |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| yargs-parser | CVE-2020-7608 | MEDIUM | 13.1.1 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
modules/sumchecker/yarn.lock
============================
Total: 29 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 17, CRITICAL: 3)
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| acorn | GHSA-6chw-6frg-f759 | HIGH | 7.1.0 | 5.7.4, 7.1.1, 6.4.1 | Regular Expression Denial |
| | | | | | of Service in Acorn |
| | | | | | -->github.com/advisories/GHSA-6chw-6frg-f759 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| ansi-regex | CVE-2021-3807 | | 4.1.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 3.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| codecov | CVE-2020-15123 | CRITICAL | 3.6.1 | 3.7.1 | Command injection in |
| | | | | | codecov (npm package) |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15123 |
+ +---------------------+----------+ +-------------------------------+----------------------------------------------+
| | CVE-2020-7597 | HIGH | | 3.6.5 | codecov NPM module allows |
| | | | | | remote attackers to |
| | | | | | execute arbitrary commands |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7597 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| dot-prop | CVE-2020-8116 | | 4.2.0 | 5.1.1, 4.2.1 | nodejs-dot-prop: prototype pollution |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8116 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| glob-parent | CVE-2020-28469 | | 5.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+ + + +-------------------+ + +
| | | | 3.1.0 | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| handlebars | CVE-2021-23369 | CRITICAL | 4.5.3 | 4.7.7 | nodejs-handlebars: Remote |
| | | | | | code execution when compiling |
| | | | | | untrusted compile templates |
| | | | | | with strict:true option... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23369 |
+ +---------------------+----------+ +-------------------------------+----------------------------------------------+
| | NSWG-ECO-519 | MEDIUM | | >=4.6.0 | Denial of Service |
| | | | | | -->hackerone.com/reports/726364 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| hosted-git-info | CVE-2021-23362 | | 2.8.5 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular |
| | | | | | Expression denial of service |
| | | | | | via shortcutMatch in fromUrl() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| ini | CVE-2020-7788 | HIGH | 1.3.5 | 1.3.6 | nodejs-ini: Prototype pollution |
| | | | | | via malicious INI file |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7788 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| kind-of | CVE-2019-20149 | | 6.0.2 | 6.0.3 | nodejs-kind-of: ctorName in |
| | | | | | index.js allows external user input |
| | | | | | to overwrite certain internal... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20149 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| lodash | CVE-2020-8203 | | 4.17.15 | 4.17.19 | nodejs-lodash: prototype pollution |
| | | | | | in zipObjectDeep function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8203 |
+ +---------------------+ + +-------------------------------+----------------------------------------------+
| | CVE-2021-23337 | | | 4.17.21 | nodejs-lodash: command |
| | | | | | injection via template |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23337 |
+ +---------------------+ + +-------------------------------+----------------------------------------------+
| | NSWG-ECO-516 | | | >=4.17.19 | Allocation of Resources |
| | | | | | Without Limits or Throttling |
| | | | | | -->www.npmjs.com/advisories/1523 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| minimist | CVE-2020-7598 | MEDIUM | 0.0.8 | 1.2.3, 0.2.1 | nodejs-minimist: prototype |
| | | | | | pollution allows adding |
| | | | | | or modifying properties of |
| | | | | | Object.prototype using a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
+ + + +-------------------+ + +
| | | | 1.2.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 0.0.10 | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| node-fetch | CVE-2020-15168 | | 2.6.0 | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after |
| | | | | | fetch() JS thread leads to DoS |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15168 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| normalize-url | CVE-2021-33502 | HIGH | 4.5.0 | 4.5.1, 6.0.1, 5.3.1 | normalize-url: ReDoS for data URLs |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33502 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| path-parse | CVE-2021-23343 | | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| set-value | CVE-2021-23440 | CRITICAL | 2.0.1 | 4.0.1 | nodejs-set-value: type confusion |
| | | | | | allows bypass of CVE-2019-10747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23440 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-newlines | CVE-2021-33623 | HIGH | 2.0.0 | 4.0.1, 3.0.1 | nodejs-trim-newlines: |
| | | | | | ReDoS in .end() method |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33623 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-off-newlines | CVE-2021-23425 | MEDIUM | 1.0.1 | | nodejs-trim-off-newlines: |
| | | | | | ReDoS via string processing |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23425 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| y18n | CVE-2020-7774 | HIGH | 4.0.0 | 5.0.5, 4.0.1, 3.2.2 | nodejs-y18n: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7774 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| yargs-parser | CVE-2020-7608 | MEDIUM | 10.1.0 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+ + + +-------------------+ + +
| | | | 13.1.1 | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
yarn.lock
=========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
The ones called out by this issue are specifically:
modules/code-oss-dev/yarn.lock
==============================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 10, CRITICAL: 1)
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 4.1.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| glob-parent | CVE-2020-28469 | | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| nth-check | CVE-2021-3803 | | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| set-value | CVE-2021-23440 | CRITICAL | 2.0.1 | 4.0.1 | nodejs-set-value: type confusion |
| | | | | | allows bypass of CVE-2019-10747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23440 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| tar | CVE-2021-32803 | HIGH | 2.2.2 | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink |
| | | | | | protection allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-32804 | | | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute |
| | | | | | path sanitization allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37701 | | | 6.1.7, 5.0.8, 4.4.16 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37712 | | | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37713 | | | | Arbitrary File Creation/Overwrite |
| | | | | | on Windows via insufficient |
| | | | | | relative path sanitization |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| yargs-parser | CVE-2020-7608 | MEDIUM | 13.1.1 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
however I don't see 23406
@jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:
Amazing! @vapurrmaid what steps did you run to catch these? I can do the same and then submit a PR to https://github.com/cdr/vscode to the code-server
branch (that's our equivalent of main
).
@jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:
Amazing! @vapurrmaid what steps did you run to catch these? I can do the same and then submit a PR to https://github.com/cdr/vscode to the
code-server
branch (that's our equivalent ofmain
).
cd vendor
trivy fs .
I have trivy installed in my workspace, so for reproducing in an environment that doesn't already have this installed, you'd need to follow: https://aquasecurity.github.io/trivy/v0.20.0/getting-started/installation/
Easy! Thanks @vapurrmaid 🙌 I'll see if I can knock this out today or tomorrow.
Hi @jsjoeio I'm seeing the below CVEs when I create a docker image with v3.12.0 Is this issue being worked?
Vulnerabilities
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | DESCRIPTION |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23383 | critical | 9.80 | handlebars | 1.0.0 | fixed in 4.7.7 | The package handlebars before 4.7.7 are vulnerable |
| | | | | | > 5 months ago | to Prototype Pollution when selecting certain |
| | | | | | | compiling options to compile templates coming from |
| | | | | | | an... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23449 | critical | 9.00 | vm2 | 3.9.3 | fixed in 3.9.4 | This affects the package vm2 before 3.9.4 via |
| | | | | | 10 days ago | a Prototype Pollution attack vector, which can |
| | | | | | | lead to execution of arbitrary code on the host |
| | | | | | | machine. |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23369 | critical | 9.00 | handlebars | 1.0.0 | fixed in 4.7.7 | The package handlebars before 4.7.7 are vulnerable |
| | | | | | > 5 months ago | to Remote Code Execution (RCE) when selecting |
| | | | | | | certain compiling options to compile templates |
| | | | | | | coming... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2019-19919 | critical | 9.00 | handlebars | 1.0.0 | fixed in 4.3.0 | Versions of handlebars prior to 4.3.0 are |
| | | | | | > 1 years ago | vulnerable to Prototype Pollution leading to |
| | | | | | | Remote Code Execution. Templates may alter an |
| | | | | | | Object\'s __proto... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2019-20920 | high | 8.10 | handlebars | 1.0.0 | fixed in 4.5.3, 3.0.8 | Handlebars before 3.0.8 and 4.x before 4.5.3 is |
| | | | | | > 1 years ago | vulnerable to Arbitrary Code Execution. The lookup |
| | | | | | | helper fails to properly validate templates, |
| | | | | | | allowi... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-q42p-pg8m-cqh6 | high | 7.00 | handlebars | 1.0.0 | fixed in 3.0.7, 4.0.14, 4.1.2 | Versions of `handlebars` prior to 4.0.14 are |
| | | | | | > 2 years ago | vulnerable to Prototype Pollution. Templates may |
| | | | | | | alter an Objects\' prototype, thus allowing an |
| | | | | | | attacker ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-q2c6-c6pm-g3gh | high | 7.00 | handlebars | 1.0.0 | fixed in 4.5.3, 3.0.8 | Versions of `handlebars` prior to 3.0.8 or 4.5.3 |
| | | | | | > 1 years ago | are vulnerable to Arbitrary Code Execution. |
| | | | | | | The package\'s lookup helper fails to properly |
| | | | | | | validate t... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-g9r4-xpmj-mj65 | high | 7.00 | handlebars | 1.0.0 | fixed in 4.5.3, 3.0.8 | Versions of `handlebars` prior to 3.0.8 or 4.5.3 |
| | | | | | > 1 years ago | are vulnerable to prototype pollution. It is |
| | | | | | | possible to add or modify properties to the Object |
| | | | | | | proto... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-2cf5-4w76-r9qv | high | 7.00 | handlebars | 1.0.0 | fixed in 4.5.2, 3.0.8 | Versions of `handlebars` prior to 3.0.8 or 4.5.2 |
| | | | | | > 1 years ago | are vulnerable to Arbitrary Code Execution. |
| | | | | | | The package\'s lookup helper fails to properly |
| | | | | | | validate t... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23406 | high | 7.00 | pac-resolver | 4.2.0 | fixed in 5.0.0 | This affects the package pac-resolver before |
| | | | | | 56 days ago | 5.0.0. This can occur when used with untrusted |
| | | | | | | input, due to unsafe PAC file handling. **NOTE:** |
| | | | | | | The fix ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-21353 | high | 7.00 | pug | 1.0.0 | fixed in 3.0.1 | Pug is an npm package which is a high-performance |
| | | | | | > 8 months ago | template engine. In pug before version 3.0.1, if |
| | | | | | | a remote attacker was able to control the `pretty` |
| | | | | | | ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2020-7788 | high | 7.00 | ini | 1.0.0 | fixed in 1.3.6 | This affects the package ini before 1.3.6. If |
| | | | | | > 10 months ago | an attacker submits a malicious INI file to an |
| | | | | | | application that parses it with ini.parse, they |
| | | | | | | will poll... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2020-7729 | high | 7.00 | grunt | 1.0.0 | fixed in 1.3.0 | The package grunt before 1.3.0 are vulnerable |
| | | | | | > 5 months ago | to Arbitrary Code Execution due to the default |
| | | | | | | usage of the function load() instead of its secure |
| | | | | | | replac... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2020-7712 | high | 7.00 | json | 1.0.0 | fixed in 10.0.0 | This affects the package json before 10.0.0. It |
| | | | | | > 5 months ago | is possible to inject arbritary commands using the |
| | | | | | | parseLookup function. |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2019-16775 | high | 7.00 | npm | 1.0.1 | fixed in 6.13.3 | Versions of the npm CLI prior to 6.13.3 are |
| | | | | | > 1 years ago | vulnerable to an Arbitrary File Write. It is |
| | | | | | | possible for packages to create symlinks to files |
| | | | | | | outside of ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2016-3956 | high | 7.00 | npm | 1.0.1 | fixed in 3.8.3, 2.15.1 | The CLI in npm before 2.15.1 and 3.x before |
| | | | | | > 3 years ago | 3.8.3, as used in Node.js 0.10 before 0.10.44, |
| | | | | | | 0.12 before 0.12.13, 4 before 4.4.2, and 5 before |
| | | | | | | 5.10.0, i... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| PRISMA-2021-0056 | high | 0.00 | json | 1.0.0 | fixed in 11.0.0 | json package versions before 11.0.0 are vulnerable |
| | | | | | | to RCE via the -d argument. If attackers or |
| | | | | | | malicious users can control -d argument, they can |
| | | | | | | execu... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-3807 | moderate | 4.00 | ansi-regex | 3.0.0 | fixed in 5.0.1, 6.0.1 | ansi-regex is vulnerable to Inefficient Regular |
| | | | | | 38 days ago | Expression Complexity |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2015-8861 | moderate | 4.00 | handlebars | 1.0.0 | fixed in 4.0.0 | The handlebars package before 4.0.0 for Node.js |
| | | | | | > 3 years ago | allows remote attackers to conduct cross-site |
| | | | | | | scripting (XSS) attacks by leveraging a template |
| | | | | | | with an... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
@jtfogarty thanks for the table! Yes, going to add this to the current milestone and see if we can get this fixed before the next release. cc @TeffenEllis (just so you are aware in case any of these are coming from our fork)
Investigating with yarn _audit
, I don't see any vulnerabilities:
➜ code-server git:(jsjoeio-fix-deps) ✗ yarn _audit
yarn run v1.22.11
$ ./ci/dev/audit.sh
$ /Users/jp/Dev/coder/code-server/node_modules/.bin/audit-ci --moderate
audit-ci version: 4.1.0
Yarn audit report results:
{
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 703,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 703
}
Now running trivy fs .
from the root, I see these:
➜ code-server git:(jsjoeio-fix-deps) ✗ trivy fs .
2021-11-02T15:30:09.705-0700 INFO Need to update DB
2021-11-02T15:30:09.705-0700 INFO Downloading DB...
24.54 MiB / 24.54 MiB [------] 100.00% 19.58 MiB p/s 2s
2021-11-02T15:30:13.302-0700 INFO Number of language-specific files: 7
2021-11-02T15:30:13.302-0700 INFO Detecting yarn vulnerabilities...
test/yarn.lock (yarn)
=====================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| path-parse | CVE-2021-23343 | HIGH | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
We're already using path-parse
1.0.7
so this is a false alarm. There's also a bug in Trivy that was introduced recently causing it show false positives for security vulnerabilities. This is specifically for the dependencies in code-server itself (not vendor/modules/code-oss-dev
).
If we do the same for vendor/modules/code-oss-dev
or specifically, our fork, we can do:
npx audit-ci --moderate
to first check with the same tool we use in code-server (there we run yarn _audit
). We get this:
{
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 21,
"high": 18,
"critical": 0
},
"dependencies": 1834,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 1834
}
Hmm...this is a bit tricky. These are all upstream, which means they're not only affecting the code-server community but the VS Code community. I feel like these should be fixed upstream.
— Manohar Joshi
Reported to security@coder.com over email.