search

docker / scout-cli

Docker Scout CLI
https://docker.com/products/docker-scout
Other
250 stars 60 forks source link

Non existing vulnerability listed for npm (yarn) package #131

Closed renepupil closed 4 days ago

renepupil commented 4 days ago

Docker Desktop 4.31.0 (153195) docker scout 1.9.3 (this outdated version is bound to latest Docker Desktop)

Vulnerability:

pkg:npm/loader-utils@1.4.0

    ✗ CRITICAL CVE-2022-37601 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')]
      https://scout.docker.com/v/CVE-2022-37601
      Affected range : <1.4.1
      Fixed version  : 1.4.1
      CVSS Score     : 9.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    ✗ HIGH CVE-2022-37603 [Inefficient Regular Expression Complexity]
      https://scout.docker.com/v/CVE-2022-37603
      Affected range : >=1.0.0
                     : <1.4.2
      Fixed version  : 1.4.2
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    ✗ HIGH CVE-2022-37599 [Inefficient Regular Expression Complexity]
      https://scout.docker.com/v/CVE-2022-37599
      Affected range : >=1.0.0
                     : <1.4.2
      Fixed version  : 1.4.2
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Checking version with npm:

# npm list loader-utils
app@ /app
+-- @symfony/stimulus-bridge@2.1.0
| `-- loader-utils@2.0.4
+-- @symfony/webpack-encore@4.2.0
| `-- resolve-url-loader@5.0.0
|   +-- adjust-sourcemap-loader@4.0.0
|   | `-- loader-utils@2.0.4
|   `-- loader-utils@2.0.4
+-- babel-loader@8.3.0
| `-- loader-utils@2.0.4
+-- copy-webpack-plugin@7.0.0
| `-- loader-utils@2.0.4
+-- file-loader@6.2.0
| `-- loader-utils@2.0.4
+-- loader-utils@3.2.1
`-- webpack-jquery-ui@2.0.1
  +-- css-loader@1.0.1
  | `-- loader-utils@1.4.2
  +-- file-loader@1.1.11
  | `-- loader-utils@1.4.2 deduped
  `-- style-loader@0.21.0
    `-- loader-utils@1.4.2

There is no version 1.4.0 installed, only 1.4.2 (or higher).

Is suspect "scout" is checking the package json, ignoring lock files like yarn.lock, but even it you ONLY consider the package json, it should "follow" the installation logic of installing the "highest possible version" when ^ is used, therefore I would expect this vulnerability not showing...

What is the logic behind that?

cdupuis commented 4 days ago

@renepupil, Docker Scout uses package.json files for actual installed node modules in node_modules folders when analysing a container image.

Could you please run the command with --locations option to see where Scout has detected this version of the loader-utils package. Alternatively, if you could point me to an image on Docker Hub, I'm happy to investigate myself.

renepupil commented 4 days ago

@cdupuis Fascinating, I am sorry for the wrong accusation!

All our npm vulnerabilities come from /root/.cache/Cypress/13.12.0/Cypress/resources/app/node_modules

e.g. /root/.cache/Cypress/13.12.0/Cypress/resources/app/node_modules/loader-utils/package.json

So Cypress creates it's own dependencies independent of our package.json dependencies. :facepalm:

My proposal to mitigate future confusion is to make the --location option a default. I think this will reduce the number of issues here a lot...

renepupil commented 4 days ago

@cdupuis Added this discussion: https://github.com/docker/scout-cli/discussions/132

Sry for wasting your time...

cdupuis commented 4 days ago

@renepupil absolutely no problem! This is what the issue tracker is for. Happy to assist any time.

Thank you for taking the time to reporting issues and helping to make Scout better for everyone!