Critical vulnerabilities reported for cypress/factory

cypress-io / cypress-docker-images

Docker images with Cypress dependencies and browsers

https://on.cypress.io/continuous-integration

MIT License

1k stars 376 forks source link

Critical vulnerabilities reported for cypress/factory #1115

Closed sergiubologa closed 3 weeks ago

sergiubologa commented 3 weeks ago

Hello,

I'm using the latest cypress/factory:4.0.2 image to run our tests in CI/CD pipelines. When building our image we are also scanning it for known security vulnerabilities with wiz.

I am using the following Node, Chrome and Cypress versions:

ARG NODE_VERSION='20.14.0'
ARG CHROME_VERSION='126.0.6478.55-1'
ARG CYPRESS_VERSION='13.11.0'

It finds a lot of outdated versions and security issues:

Evaluated policies: Default secrets policy, Default sensitive data policy, Default vulnerabilities policy
Failed policy: Default vulnerabilities policy
Vulnerable packages: CRITICAL: 6, HIGH: 29, MEDIUM: 64, LOW: 41, INFORMATIONAL: 0
    Total: 140
Vulnerabilities: CRITICAL: 6, HIGH: 35, MEDIUM: 149, LOW: 176, INFORMATIONAL: 7
    Total: 373, out of which 45 are fixable
Directories scanned: 25829, Files scanned: 210985
Scan results: FAILED. Container image does not meet policy requirements

Here's a text file with all the scan results: scan-cypress.txt

MikeMcC399 commented 3 weeks ago

@sergiubologa

This seems to be very similar to the issue https://github.com/cypress-io/cypress-docker-images/issues/1114

Cypress Docker images cannot fix vulnerabilities which have not been fixed upstream.

Debian was discussed in https://github.com/cypress-io/cypress-docker-images/issues/1114 and there are no unused fixes for Debian vulnerabilities available.
Cypress was also discussed in https://github.com/cypress-io/cypress-docker-images/issues/1114
Node.js 20.14.0 vulnerabilities need to be fixed by https://github.com/nodejs/node
Node.js 20.14.0 is the official current LTS version. See Node.js Release schedule and Node.js releases

sergiubologa commented 3 weeks ago

Right, but Cypress uses some node modules that have Critical issues:

Name: underscore, Version: 1.6.0, Path: /root/.cache/Cypress/13.11.0/Cypress/resources/app/node_modules/underscore/package.json
            Failed policy: Default vulnerabilities policy
            CVE-2021-23358, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
                CVSS score: 7.2, CVSS exploitability score: 1.2
                Fixed version: 1.12.1

Name: loader-utils, Version: 1.4.0, Path: /root/.cache/Cypress/13.11.0/Cypress/resources/app/node_modules/loader-utils/package.json
            Failed policy: Default vulnerabilities policy
            CVE-2022-37601, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-76p3-8jx3-jpfq
                CVSS score: 9.8, CVSS exploitability score: 3.9
                Fixed version: 1.4.1
                Has public exploit
            CVE-2022-37599, Severity: HIGH, Source: https://github.com/advisories/GHSA-hhq3-ff78-jv3g
                CVSS score: 7.5, CVSS exploitability score: 3.9
                Fixed version: 1.4.2
            CVE-2022-37603, Severity: HIGH, Source: https://github.com/advisories/GHSA-3rfm-jhwj-7488
                CVSS score: 7.5, CVSS exploitability score: 3.9
                Fixed version: 1.4.2
                Has public exploit

Name: flat, Version: 4.1.1, Path: /root/.cache/Cypress/13.11.0/Cypress/resources/app/node_modules/flat/package.json
            Failed policy: Default vulnerabilities policy
            CVE-2020-36632, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
                CVSS score: 9.8, CVSS exploitability score: 3.9
                Fixed version: 5.0.1

MikeMcC399 commented 3 weeks ago

@sergiubologa

I can only give the same comment that I gave in the other issue:

These are not vulnerabilities which can be fixed directly by cypress/included Docker images. Any fixes would need to come from the upstream repo https://github.com/cypress-io/cypress. The Cypress binary is installed as-provided and it is not manipulated by the Cypress Docker image process.

sergiubologa commented 3 weeks ago

Thank you

MikeMcC399 commented 3 weeks ago

There are separate issues for each of the vulnerabilities you mention:

I'm going to close this issue now as the follow-up needs to be done through https://github.com/cypress-io/cypress. As soon as any new Cypress version is released, a new cypress/included Cypress Docker image version is also released. So if there are vulnerability fixes they are dealt with as best and as fast as possible.

MikeMcC399 commented 3 weeks ago

@sergiubologa

I have linked the existing reports back to this issue. You can subscribe to the issues if you want to follow their resolution.