[Docs]: list of false-postive CVEs (critical handlebars CVEs)

[alexander-dammeier]

What is your suggestion?

We evaluate coder in a high security offline environment. For that, we scanned our workspace image with code-server preinstalled with trivy. There were crititcal CVEs found but we think that they are false positives. Can you please confirm that? This could be added to the docs too.

We found the handlebars CVEs cve-2019-19919, cve-2021-23369, cve-2021-23383 in code-server/lib/code-server-4.13.0/lib/vscode/extensions/handlebars/package.json We think that Trivy is misled by the name of this component and thinks that it refers to handlebars on npm and not to the vs-code plugin with the same name.

How will this improve the docs?

Security-oriented teams like us will benefit from that because they can forward the false-positive list to their security team to still get the permission to use the software.

Can you confirm that CVEs are false-positives, so that we can forward that to the security team responsible for us?

[code-asher]

Ah yup, we have ran into this ourselves before (and with many others in lib/vscode/extensions). Your analysis is spot-on; that is indeed a false positive.

Adding this to the docs makes sense to me, maybe to SECURITY.md.

[mirekphd]

Anchore Grype has the same problem with the custom handlebars as Trivy.

Here's the list of such detections for v4.16.1:

Package                           Version_Installed        Vulnerability_ID     .Severity  Locations_RealPath
handlebars                        1.0.0                    GHSA-765h-qjxv-5f44  Critical   /usr/lib/code-server/lib/vscode/extensions/handlebars/package.json
handlebars                        1.0.0                    GHSA-f2jv-r9rf-7988  Critical   /usr/lib/code-server/lib/vscode/extensions/handlebars/package.json
handlebars                        1.0.0                    GHSA-w457-6q6x-cgp9  Critical   /usr/lib/code-server/lib/vscode/extensions/handlebars/package.json

[mirekphd]

More importantly, critical vulnerabilities are also detected in the vm2 node module used in v4.16.1:

vm2                               3.9.19                   GHSA-cchq-frgv-rjh5  Critical   /usr/lib/code-server/node_modules/vm2/package.json
vm2                               3.9.19                   GHSA-g644-9gfx-q4q4  Critical   /usr/lib/code-server/node_modules/vm2/package.json

Due to them the vm2 NPM package will be discontinued. I've opened a separate issue with code-server (https://github.com/coder/code-server/issues/6387) to let us replace this vulnerable package here.

[mjschmidt]

Any actual solution to the handlebars issue being perused? I see the other vulnerability was addressed in #6387.

[code-asher]

The best we can do as far as work in this repo is to document in SECURITY.md that anything in the format lib/vscode/extensions/$name/package.json is a false positive. Unless Trivy becomes smarter about how it detects npm packages, I think it will always appear in security scans.

For folks using Trivy, maybe we can recommend something like trivy --skip-files "lib/vscode/extensions/*/package.json"? I have not tested that flag but it seems like it should work based on the documentation. https://aquasecurity.github.io/trivy/v0.50/docs/configuration/skipping/

[code-asher]

Oh also I just found https://github.com/aquasecurity/trivy/discussions/6112