manoharsjoshi
commented
2 years ago thank you @jsjoeio for creating issue on behalf of me..
Closed jsjoeio closed 2 years ago
manoharsjoshi
commented
2 years ago thank you @jsjoeio for creating issue on behalf of me..
jsjoeio
commented
2 years ago Hmmm... I ran our audit tool yarn _audit and don't see anything reported:
➜ code-server git:(main) yarn _audit
yarn run v1.22.11
$ ./ci/dev/audit.sh
$ /Users/jp/Dev/coder/code-server/node_modules/.bin/audit-ci --moderate
audit-ci version: 4.1.0
Yarn audit report results:
{
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 689,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 689
}
Passed yarn security audit.
✨ Done in 5.55s.I also ran yarn audit in /vendor and don't see anything:
➜ code-server git:(main) cd vendor
➜ vendor git:(main) ls
modules package.json postinstall.sh yarn.lock
➜ vendor git:(main) yarn audit
yarn audit v1.22.11
0 vulnerabilities found - Packages audited: 243
✨ Done in 0.92s.And if I run yarn why pac-resolver in /vendor, I don't get anything:
➜ vendor git:(main) yarn why pac-resolver
yarn why v1.22.11
[1/4] 🤔 Why do we have the module "pac-resolver"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
error We couldn't find a match!
✨ Done in 0.61s.I also checked in our fork and don't see anything 🤔
➜ vscode git:(code-server) yarn why pac-resolver
yarn why v1.22.11
[1/4] 🤔 Why do we have the module "pac-resolver"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
error We couldn't find a match!
✨ Done in 2.34s.Maybe this has been fixed or something I'm doing something wrong. Any ideas @TeffenEllis @code-asher ?
manoharsjoshi
commented
2 years ago Hello @jsjoeio , Do you need more information on this.
jsjoeio
commented
2 years ago @manoharsjoshi - yes if you don't mind! I am wondering if it's been fixed already. I couldn't reproduce or find it using main or code-server in the VS Code fork repo.
greyscaled
commented
2 years ago I'll take a look with trivy
greyscaled
commented
2 years ago @jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:
modules/code-oss-dev/build/lib/watch/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/build/win32/Cargo.lock
===========================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
| term | RUSTSEC-2018-0015 | UNKNOWN | 0.4.6 | | term is looking for a new maintainer |
| | | | | | -->rustsec.org/advisories/RUSTSEC-2018-0015 |
+---------+-------------------+----------+-------------------+---------------+---------------------------------------------+
modules/code-oss-dev/build/yarn.lock
====================================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| nth-check | CVE-2021-3803 | HIGH | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+------------+------------------+ +-------------------+---------------+---------------------------------------+
| underscore | CVE-2021-23358 | | 1.8.3 | 1.12.1 | nodejs-underscore: Arbitrary code |
| | | | | | execution via the template function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 |
+ + + +-------------------+ + +
| | | | 1.9.1 | | |
| | | | | | |
| | | | | | |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmldom | CVE-2021-21366 | MEDIUM | 0.1.31 | 0.5.0 | Misinterpretation of |
| | | | | | malicious XML input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-21366 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-32796 | | | | nodejs-xmldom: misinterpretation |
| | | | | | of malicious XML input |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32796 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/extensions/bat/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/clojure/yarn.lock
=================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/coffeescript/yarn.lock
======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/configuration-editing/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/cpp/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/csharp/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/css-language-features/server/yarn.lock
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/css-language-features/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/css/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/debug-auto-launch/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/debug-server-ready/yarn.lock
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/docker/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/emmet/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/extension-editing/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/fsharp/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/git/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/github-authentication/yarn.lock
===============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| axios | CVE-2021-3749 | HIGH | 0.21.1 | 0.21.2 | nodejs-axios: Regular expression |
| | | | | | denial of service in trim function |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3749 |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
modules/code-oss-dev/extensions/github/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/go/yarn.lock
============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/groovy/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/grunt/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/gulp/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/handlebars/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/hlsl/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/html-language-features/server/yarn.lock
=======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/html-language-features/yarn.lock
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/html/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/image-preview/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/ini/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/ipynb/yarn.lock
===============================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| url-parse | CVE-2021-27515 | MEDIUM | 1.4.7 | 1.5.0 | nodejs-url-parse: mishandling |
| | | | | | certain uses of backslash may |
| | | | | | lead to confidentiality compromise |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27515 |
+ +------------------+ + +---------------+---------------------------------------+
| | CVE-2021-3664 | | | 1.5.2 | nodejs-url-parse: URL |
| | | | | | Redirection to Untrusted Site |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3664 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/extensions/jake/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/java/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/javascript/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/json-language-features/server/yarn.lock
=======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/json-language-features/yarn.lock
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/json/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/less/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/log/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/lua/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/make/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/markdown-basics/yarn.lock
=========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/markdown-language-features/yarn.lock
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/markdown-math/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/merge-conflict/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/microsoft-authentication/yarn.lock
==================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/npm/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/objective-c/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/perl/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/php-language-features/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/php/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/powershell/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/pug/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/python/yarn.lock
================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/r/yarn.lock
===========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/razor/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/ruby/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/rust/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/scss/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/search-result/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/shaderlab/yarn.lock
===================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/shellscript/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/simple-browser/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/sql/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/swift/yarn.lock
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-abyss/yarn.lock
=====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-defaults/yarn.lock
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-kimbie-dark/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-monokai-dimmed/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-monokai/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-quietlight/yarn.lock
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-red/yarn.lock
===================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-seti/yarn.lock
====================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-solarized-dark/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-solarized-light/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/theme-tomorrow-night-blue/yarn.lock
===================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/typescript-basics/yarn.lock
===========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/typescript-language-features/yarn.lock
======================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vb/yarn.lock
============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-api-tests/yarn.lock
==========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-colorize-tests/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-custom-editor-tests/yarn.lock
====================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-notebook-tests/yarn.lock
===============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/vscode-test-resolver/yarn.lock
==============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/xml/yarn.lock
=============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/yaml/yarn.lock
==============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/extensions/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/remote/web/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/remote/yarn.lock
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/automation/yarn.lock
==============================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| hosted-git-info | CVE-2021-23362 | MEDIUM | 2.8.8 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular |
| | | | | | Expression denial of service |
| | | | | | via shortcutMatch in fromUrl() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| merge | CVE-2020-28499 | CRITICAL | 1.2.1 | 2.1.1 | Prototype Pollution in merge |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28499 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| minimist | CVE-2020-7598 | MEDIUM | 1.2.0 | 1.2.3, 0.2.1 | nodejs-minimist: prototype |
| | | | | | pollution allows adding |
| | | | | | or modifying properties of |
| | | | | | Object.prototype using a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| path-parse | CVE-2021-23343 | HIGH | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/test/integration/browser/yarn.lock
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/leaks/yarn.lock
=========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/monaco/yarn.lock
==========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
modules/code-oss-dev/test/smoke/yarn.lock
=========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
| merge | CVE-2020-28499 | CRITICAL | 1.2.1 | 2.1.1 | Prototype Pollution in merge |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28499 |
+---------+------------------+----------+-------------------+---------------+---------------------------------------+
modules/code-oss-dev/yarn.lock
==============================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 10, CRITICAL: 1)
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 4.1.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| glob-parent | CVE-2020-28469 | | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| nth-check | CVE-2021-3803 | | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| set-value | CVE-2021-23440 | CRITICAL | 2.0.1 | 4.0.1 | nodejs-set-value: type confusion |
| | | | | | allows bypass of CVE-2019-10747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23440 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| tar | CVE-2021-32803 | HIGH | 2.2.2 | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink |
| | | | | | protection allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-32804 | | | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute |
| | | | | | path sanitization allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37701 | | | 6.1.7, 5.0.8, 4.4.16 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37712 | | | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37713 | | | | Arbitrary File Creation/Overwrite |
| | | | | | on Windows via insufficient |
| | | | | | relative path sanitization |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| yargs-parser | CVE-2020-7608 | MEDIUM | 13.1.1 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
modules/sumchecker/yarn.lock
============================
Total: 29 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 17, CRITICAL: 3)
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| acorn | GHSA-6chw-6frg-f759 | HIGH | 7.1.0 | 5.7.4, 7.1.1, 6.4.1 | Regular Expression Denial |
| | | | | | of Service in Acorn |
| | | | | | -->github.com/advisories/GHSA-6chw-6frg-f759 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| ansi-regex | CVE-2021-3807 | | 4.1.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 3.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| codecov | CVE-2020-15123 | CRITICAL | 3.6.1 | 3.7.1 | Command injection in |
| | | | | | codecov (npm package) |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15123 |
+ +---------------------+----------+ +-------------------------------+----------------------------------------------+
| | CVE-2020-7597 | HIGH | | 3.6.5 | codecov NPM module allows |
| | | | | | remote attackers to |
| | | | | | execute arbitrary commands |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7597 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| dot-prop | CVE-2020-8116 | | 4.2.0 | 5.1.1, 4.2.1 | nodejs-dot-prop: prototype pollution |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8116 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| glob-parent | CVE-2020-28469 | | 5.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+ + + +-------------------+ + +
| | | | 3.1.0 | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| handlebars | CVE-2021-23369 | CRITICAL | 4.5.3 | 4.7.7 | nodejs-handlebars: Remote |
| | | | | | code execution when compiling |
| | | | | | untrusted compile templates |
| | | | | | with strict:true option... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23369 |
+ +---------------------+----------+ +-------------------------------+----------------------------------------------+
| | NSWG-ECO-519 | MEDIUM | | >=4.6.0 | Denial of Service |
| | | | | | -->hackerone.com/reports/726364 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| hosted-git-info | CVE-2021-23362 | | 2.8.5 | 2.8.9, 3.0.8 | nodejs-hosted-git-info: Regular |
| | | | | | Expression denial of service |
| | | | | | via shortcutMatch in fromUrl() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23362 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| ini | CVE-2020-7788 | HIGH | 1.3.5 | 1.3.6 | nodejs-ini: Prototype pollution |
| | | | | | via malicious INI file |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7788 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| kind-of | CVE-2019-20149 | | 6.0.2 | 6.0.3 | nodejs-kind-of: ctorName in |
| | | | | | index.js allows external user input |
| | | | | | to overwrite certain internal... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20149 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| lodash | CVE-2020-8203 | | 4.17.15 | 4.17.19 | nodejs-lodash: prototype pollution |
| | | | | | in zipObjectDeep function |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8203 |
+ +---------------------+ + +-------------------------------+----------------------------------------------+
| | CVE-2021-23337 | | | 4.17.21 | nodejs-lodash: command |
| | | | | | injection via template |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23337 |
+ +---------------------+ + +-------------------------------+----------------------------------------------+
| | NSWG-ECO-516 | | | >=4.17.19 | Allocation of Resources |
| | | | | | Without Limits or Throttling |
| | | | | | -->www.npmjs.com/advisories/1523 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| minimist | CVE-2020-7598 | MEDIUM | 0.0.8 | 1.2.3, 0.2.1 | nodejs-minimist: prototype |
| | | | | | pollution allows adding |
| | | | | | or modifying properties of |
| | | | | | Object.prototype using a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 |
+ + + +-------------------+ + +
| | | | 1.2.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 0.0.10 | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| node-fetch | CVE-2020-15168 | | 2.6.0 | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after |
| | | | | | fetch() JS thread leads to DoS |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-15168 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| normalize-url | CVE-2021-33502 | HIGH | 4.5.0 | 4.5.1, 6.0.1, 5.3.1 | normalize-url: ReDoS for data URLs |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33502 |
+-------------------+---------------------+ +-------------------+-------------------------------+----------------------------------------------+
| path-parse | CVE-2021-23343 | | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| set-value | CVE-2021-23440 | CRITICAL | 2.0.1 | 4.0.1 | nodejs-set-value: type confusion |
| | | | | | allows bypass of CVE-2019-10747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23440 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-newlines | CVE-2021-33623 | HIGH | 2.0.0 | 4.0.1, 3.0.1 | nodejs-trim-newlines: |
| | | | | | ReDoS in .end() method |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33623 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| trim-off-newlines | CVE-2021-23425 | MEDIUM | 1.0.1 | | nodejs-trim-off-newlines: |
| | | | | | ReDoS via string processing |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23425 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| y18n | CVE-2020-7774 | HIGH | 4.0.0 | 5.0.5, 4.0.1, 3.2.2 | nodejs-y18n: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7774 |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
| yargs-parser | CVE-2020-7608 | MEDIUM | 10.1.0 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+ + + +-------------------+ + +
| | | | 13.1.1 | | |
| | | | | | |
| | | | | | |
+-------------------+---------------------+----------+-------------------+-------------------------------+----------------------------------------------+
yarn.lock
=========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+------------+------------------+----------+-------------------+---------------+--------------------------------------+The ones called out by this issue are specifically:
modules/code-oss-dev/yarn.lock
==============================
Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 10, CRITICAL: 1)
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| ansi-regex | CVE-2021-3807 | HIGH | 3.0.0 | 5.0.1, 6.0.1 | node-ansi-regex: inefficient |
| | | | | | regular expression |
| | | | | | complexity allows for a crash |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3807 |
+ + + +-------------------+ + +
| | | | 4.1.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+ + + +-------------------+ + +
| | | | 5.0.0 | | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| glob-parent | CVE-2020-28469 | | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+--------------+------------------+ +-------------------+-------------------------------+---------------------------------------+
| nth-check | CVE-2021-3803 | | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient |
| | | | | | regular expression complexity |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| set-value | CVE-2021-23440 | CRITICAL | 2.0.1 | 4.0.1 | nodejs-set-value: type confusion |
| | | | | | allows bypass of CVE-2019-10747 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23440 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| tar | CVE-2021-32803 | HIGH | 2.2.2 | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink |
| | | | | | protection allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32803 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-32804 | | | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute |
| | | | | | path sanitization allowing arbitrary |
| | | | | | file creation and overwrite |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-32804 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37701 | | | 6.1.7, 5.0.8, 4.4.16 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 |
+ +------------------+ + +-------------------------------+---------------------------------------+
| | CVE-2021-37712 | | | 6.1.9, 5.0.10, 4.4.18 | nodejs-tar: insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37713 | | | | Arbitrary File Creation/Overwrite |
| | | | | | on Windows via insufficient |
| | | | | | relative path sanitization |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+
| yargs-parser | CVE-2020-7608 | MEDIUM | 13.1.1 | 5.0.1, 13.1.2, 18.1.2, 15.0.1 | nodejs-yargs-parser: prototype |
| | | | | | pollution vulnerability |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-7608 |
+--------------+------------------+----------+-------------------+-------------------------------+---------------------------------------+however I don't see 23406
jsjoeio
commented
2 years ago @jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:
Amazing! @vapurrmaid what steps did you run to catch these? I can do the same and then submit a PR to https://github.com/cdr/vscode to the code-server branch (that's our equivalent of main).
greyscaled
commented
2 years ago @jsjoeio I actually found a quite extensive list of vulns in vendor using trivy:
Amazing! @vapurrmaid what steps did you run to catch these? I can do the same and then submit a PR to https://github.com/cdr/vscode to the
code-serverbranch (that's our equivalent ofmain).
cd vendor
trivy fs .I have trivy installed in my workspace, so for reproducing in an environment that doesn't already have this installed, you'd need to follow: https://aquasecurity.github.io/trivy/v0.20.0/getting-started/installation/
jsjoeio
commented
2 years ago Easy! Thanks @vapurrmaid 🙌 I'll see if I can knock this out today or tomorrow.
jtfogarty
commented
2 years ago Hi @jsjoeio I'm seeing the below CVEs when I create a docker image with v3.12.0 Is this issue being worked?
Vulnerabilities
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | DESCRIPTION |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23383 | critical | 9.80 | handlebars | 1.0.0 | fixed in 4.7.7 | The package handlebars before 4.7.7 are vulnerable |
| | | | | | > 5 months ago | to Prototype Pollution when selecting certain |
| | | | | | | compiling options to compile templates coming from |
| | | | | | | an... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23449 | critical | 9.00 | vm2 | 3.9.3 | fixed in 3.9.4 | This affects the package vm2 before 3.9.4 via |
| | | | | | 10 days ago | a Prototype Pollution attack vector, which can |
| | | | | | | lead to execution of arbitrary code on the host |
| | | | | | | machine. |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23369 | critical | 9.00 | handlebars | 1.0.0 | fixed in 4.7.7 | The package handlebars before 4.7.7 are vulnerable |
| | | | | | > 5 months ago | to Remote Code Execution (RCE) when selecting |
| | | | | | | certain compiling options to compile templates |
| | | | | | | coming... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2019-19919 | critical | 9.00 | handlebars | 1.0.0 | fixed in 4.3.0 | Versions of handlebars prior to 4.3.0 are |
| | | | | | > 1 years ago | vulnerable to Prototype Pollution leading to |
| | | | | | | Remote Code Execution. Templates may alter an |
| | | | | | | Object\'s __proto... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2019-20920 | high | 8.10 | handlebars | 1.0.0 | fixed in 4.5.3, 3.0.8 | Handlebars before 3.0.8 and 4.x before 4.5.3 is |
| | | | | | > 1 years ago | vulnerable to Arbitrary Code Execution. The lookup |
| | | | | | | helper fails to properly validate templates, |
| | | | | | | allowi... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-q42p-pg8m-cqh6 | high | 7.00 | handlebars | 1.0.0 | fixed in 3.0.7, 4.0.14, 4.1.2 | Versions of `handlebars` prior to 4.0.14 are |
| | | | | | > 2 years ago | vulnerable to Prototype Pollution. Templates may |
| | | | | | | alter an Objects\' prototype, thus allowing an |
| | | | | | | attacker ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-q2c6-c6pm-g3gh | high | 7.00 | handlebars | 1.0.0 | fixed in 4.5.3, 3.0.8 | Versions of `handlebars` prior to 3.0.8 or 4.5.3 |
| | | | | | > 1 years ago | are vulnerable to Arbitrary Code Execution. |
| | | | | | | The package\'s lookup helper fails to properly |
| | | | | | | validate t... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-g9r4-xpmj-mj65 | high | 7.00 | handlebars | 1.0.0 | fixed in 4.5.3, 3.0.8 | Versions of `handlebars` prior to 3.0.8 or 4.5.3 |
| | | | | | > 1 years ago | are vulnerable to prototype pollution. It is |
| | | | | | | possible to add or modify properties to the Object |
| | | | | | | proto... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| GHSA-2cf5-4w76-r9qv | high | 7.00 | handlebars | 1.0.0 | fixed in 4.5.2, 3.0.8 | Versions of `handlebars` prior to 3.0.8 or 4.5.2 |
| | | | | | > 1 years ago | are vulnerable to Arbitrary Code Execution. |
| | | | | | | The package\'s lookup helper fails to properly |
| | | | | | | validate t... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-23406 | high | 7.00 | pac-resolver | 4.2.0 | fixed in 5.0.0 | This affects the package pac-resolver before |
| | | | | | 56 days ago | 5.0.0. This can occur when used with untrusted |
| | | | | | | input, due to unsafe PAC file handling. **NOTE:** |
| | | | | | | The fix ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-21353 | high | 7.00 | pug | 1.0.0 | fixed in 3.0.1 | Pug is an npm package which is a high-performance |
| | | | | | > 8 months ago | template engine. In pug before version 3.0.1, if |
| | | | | | | a remote attacker was able to control the `pretty` |
| | | | | | | ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2020-7788 | high | 7.00 | ini | 1.0.0 | fixed in 1.3.6 | This affects the package ini before 1.3.6. If |
| | | | | | > 10 months ago | an attacker submits a malicious INI file to an |
| | | | | | | application that parses it with ini.parse, they |
| | | | | | | will poll... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2020-7729 | high | 7.00 | grunt | 1.0.0 | fixed in 1.3.0 | The package grunt before 1.3.0 are vulnerable |
| | | | | | > 5 months ago | to Arbitrary Code Execution due to the default |
| | | | | | | usage of the function load() instead of its secure |
| | | | | | | replac... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2020-7712 | high | 7.00 | json | 1.0.0 | fixed in 10.0.0 | This affects the package json before 10.0.0. It |
| | | | | | > 5 months ago | is possible to inject arbritary commands using the |
| | | | | | | parseLookup function. |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2019-16775 | high | 7.00 | npm | 1.0.1 | fixed in 6.13.3 | Versions of the npm CLI prior to 6.13.3 are |
| | | | | | > 1 years ago | vulnerable to an Arbitrary File Write. It is |
| | | | | | | possible for packages to create symlinks to files |
| | | | | | | outside of ... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2016-3956 | high | 7.00 | npm | 1.0.1 | fixed in 3.8.3, 2.15.1 | The CLI in npm before 2.15.1 and 3.x before |
| | | | | | > 3 years ago | 3.8.3, as used in Node.js 0.10 before 0.10.44, |
| | | | | | | 0.12 before 0.12.13, 4 before 4.4.2, and 5 before |
| | | | | | | 5.10.0, i... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| PRISMA-2021-0056 | high | 0.00 | json | 1.0.0 | fixed in 11.0.0 | json package versions before 11.0.0 are vulnerable |
| | | | | | | to RCE via the -d argument. If attackers or |
| | | | | | | malicious users can control -d argument, they can |
| | | | | | | execu... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2021-3807 | moderate | 4.00 | ansi-regex | 3.0.0 | fixed in 5.0.1, 6.0.1 | ansi-regex is vulnerable to Inefficient Regular |
| | | | | | 38 days ago | Expression Complexity |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+
| CVE-2015-8861 | moderate | 4.00 | handlebars | 1.0.0 | fixed in 4.0.0 | The handlebars package before 4.0.0 for Node.js |
| | | | | | > 3 years ago | allows remote attackers to conduct cross-site |
| | | | | | | scripting (XSS) attacks by leveraging a template |
| | | | | | | with an... |
+---------------------+----------+------+--------------+---------+-------------------------------+----------------------------------------------------+@jtfogarty thanks for the table! Yes, going to add this to the current milestone and see if we can get this fixed before the next release. cc @TeffenEllis (just so you are aware in case any of these are coming from our fork)
jsjoeio
commented
2 years ago Investigating with yarn _audit, I don't see any vulnerabilities:
➜ code-server git:(jsjoeio-fix-deps) ✗ yarn _audit
yarn run v1.22.11
$ ./ci/dev/audit.sh
$ /Users/jp/Dev/coder/code-server/node_modules/.bin/audit-ci --moderate
audit-ci version: 4.1.0
Yarn audit report results:
{
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 0,
"critical": 0
},
"dependencies": 703,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 703
}Now running trivy fs . from the root, I see these:
➜ code-server git:(jsjoeio-fix-deps) ✗ trivy fs .
2021-11-02T15:30:09.705-0700 INFO Need to update DB
2021-11-02T15:30:09.705-0700 INFO Downloading DB...
24.54 MiB / 24.54 MiB [------] 100.00% 19.58 MiB p/s 2s
2021-11-02T15:30:13.302-0700 INFO Number of language-specific files: 7
2021-11-02T15:30:13.302-0700 INFO Detecting yarn vulnerabilities...
test/yarn.lock (yarn)
=====================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+
| path-parse | CVE-2021-23343 | HIGH | 1.0.6 | 1.0.7 | nodejs-path-parse: |
| | | | | | ReDoS via splitDeviceRe, |
| | | | | | splitTailRe and splitPathRe |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 |
+------------+------------------+----------+-------------------+---------------+---------------------------------------+We're already using path-parse 1.0.7 so this is a false alarm. There's also a bug in Trivy that was introduced recently causing it show false positives for security vulnerabilities. This is specifically for the dependencies in code-server itself (not vendor/modules/code-oss-dev).
If we do the same for vendor/modules/code-oss-dev or specifically, our fork, we can do:
npx audit-ci --moderateto first check with the same tool we use in code-server (there we run yarn _audit). We get this:
{
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 21,
"high": 18,
"critical": 0
},
"dependencies": 1834,
"devDependencies": 0,
"optionalDependencies": 0,
"totalDependencies": 1834
}Hmm...this is a bit tricky. These are all upstream, which means they're not only affecting the code-server community but the VS Code community. I feel like these should be fixed upstream.
— Manohar Joshi
Reported to security@coder.com over email.