Closed renepupil closed 4 days ago
@renepupil, Docker Scout uses package.json
files for actual installed node modules in node_modules
folders when analysing a container image.
Could you please run the command with --locations
option to see where Scout has detected this version of the loader-utils
package. Alternatively, if you could point me to an image on Docker Hub, I'm happy to investigate myself.
@cdupuis Fascinating, I am sorry for the wrong accusation!
All our npm
vulnerabilities come from /root/.cache/Cypress/13.12.0/Cypress/resources/app/node_modules
e.g. /root/.cache/Cypress/13.12.0/Cypress/resources/app/node_modules/loader-utils/package.json
So Cypress
creates it's own dependencies independent of our package.json
dependencies. :facepalm:
My proposal to mitigate future confusion is to make the --location
option a default.
I think this will reduce the number of issues here a lot...
@cdupuis Added this discussion: https://github.com/docker/scout-cli/discussions/132
Sry for wasting your time...
@renepupil absolutely no problem! This is what the issue tracker is for. Happy to assist any time.
Thank you for taking the time to reporting issues and helping to make Scout better for everyone!
Docker Desktop 4.31.0 (153195) docker scout 1.9.3 (this outdated version is bound to latest Docker Desktop)
Vulnerability:
Checking version with
npm
:There is no version
1.4.0
installed, only1.4.2
(or higher).Is suspect "scout" is checking the package json, ignoring
lock
files likeyarn.lock
, but even it you ONLY consider the package json, it should "follow" the installation logic of installing the "highest possible version" when^
is used, therefore I would expect this vulnerability not showing...What is the logic behind that?