Closed betterltn closed 2 years ago
glob-parent is a transitive build time dependency in the implementation of the akeyless dependency used for akeyless backend.
❯ npm ls glob-parent
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ akeyless@2.4.2
│ └─┬ @babel/cli@7.14.3
│ └─┬ @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents
│ └── glob-parent@3.1.0
├─┬ eslint@7.12.1
│ └── glob-parent@5.1.2
└─┬ mocha@8.2.0
└─┬ chokidar@3.4.3
└── glob-parent@5.1.2 deduped
jose is unlikely to be updatable due to kubernetes-client, our direct dependency for interacting with kubernetes being stale for >1 year.
❯ npm ls jose
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ kubernetes-client@9.0.0
└─┬ openid-client@3.15.10
└── jose@1.28.1
dot-prop is a dev time dependency and also a false positive 🤔
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ nodemon@2.0.6
│ └─┬ update-notifier@4.1.3
│ └─┬ configstore@5.0.1
│ └── dot-prop@5.3.0
└─┬ standard-version@9.2.0
└─┬ conventional-changelog-conventionalcommits@4.5.0
└─┬ compare-func@2.0.0
└── dot-prop@5.3.0 deduped
path-parse is a transitive dev time dependency for code linting.
❯ npm ls path-parse
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ eslint-plugin-import@2.22.1
└─┬ resolve@1.20.0
└── path-parse@1.0.6
Thanks !! can you comment on following as well
through 2.3.8 CVE-2021-29940 Critical formidable 1.2.2 CVE-2019-15780 Critical base 0.11.2 CVE-2009-4591 High
They all look like false positives.
formidable, CVE-2019-15780, is related to a wordpress plugin, so false positive Otherwise formidable is used by superagent which is for http requests (used by akeyless library, and supertest which KES uses for some unit test mocking)
❯ npm ls formidable
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ akeyless@2.5.3
│ └─┬ superagent@3.7.0
│ └── formidable@1.2.2
└─┬ supertest@6.0.1
└─┬ superagent@6.1.0
└── formidable@1.2.2 deduped
base, CVE-2009-4591 is related to SQL Basic Analysis and Security Engine (BASE), so false positive As opposed to https://github.com/node-base/base, which looks like a dev time dependency to me (in our dependency tree anyway)
❯ npm ls base
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ akeyless@2.5.3
└─┬ @babel/cli@7.14.3
└─┬ @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents
└─┬ braces@2.3.2
└─┬ snapdragon@0.8.2
└── base@0.11.2
through, CVE-2021-29940, is related to a rust library, so false positive Colliding with the name for https://www.npmjs.com/package/through which is used far down the dependency tree for our release script dependencies
❯ npm ls through
kubernetes-external-secrets@8.2.2 /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ standard-version@9.2.0
├─┬ conventional-changelog@3.1.24
│ └─┬ conventional-changelog-core@4.2.2
│ └─┬ conventional-changelog-writer@4.1.0
│ └─┬ split@1.0.1
│ └── through@2.3.8 deduped
└─┬ conventional-recommended-bump@6.1.0
└─┬ conventional-commits-parser@3.2.1
└─┬ JSONStream@1.3.5
└── through@2.3.8
@renanaAkeyless @OriMankali Would be great if akeyless dependency could move @babel/cli from dependencies to dev dependencies? I don't see any reason for it to be listed as a dependency.
Hi, Sure, I will take a look Thanks Renana
בתאריך יום ד׳, 28 ביולי 2021, 9:10, מאת Markus Maga < @.***>:
They all look like false positives.
formidable, CVE-2019-15780, is related to a wordpress plugin, so false positive Otherwise formidable is used by superagent which is for http requests (used by akeyless library, and supertest which KES uses for some unit test mocking)
❯ npm ls formidable
@.*** /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ @.***
│ └─┬ @.***
│ └── @.***
└─┬ @.***
└─┬ @.***
└── ***@***.*** deduped
base, CVE-2009-4591 is related to SQL Basic Analysis and Security Engine (BASE), so false positive As opposed to https://github.com/node-base/base, which looks like a dev time dependency to me.
❯ npm ls base
@.*** /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ @.***
└─┬ @@.***
└─┬ @***@***.*** └─┬ ***@***.*** └─┬ ***@***.*** └── ***@***.***
through, CVE-2021-29940, is related to a rust library, so false positive Colliding with the name for https://www.npmjs.com/package/through which is used far down the dependency tree for our release script dependencies
❯ npm ls through
@.*** /home/flydiverny/Code/github/kubernetes-external-secrets
└─┬ @.***
├─┬ @.***
│ └─┬ @.***
│ └─┬ @.***
│ └─┬ @.***
│ └── @.*** deduped
└─┬ @.***
└─┬ ***@***.*** └─┬ ***@***.*** └── ***@***.***
@renanaAkeyless https://github.com/renanaAkeyless @OriMankali https://github.com/OriMankali Would be great if akeyless dependency could move @babel/cli from dependencies to dev dependencies? I don't see any reason for it to be listed as a dependency.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/external-secrets/kubernetes-external-secrets/issues/805#issuecomment-888038980, or unsubscribe https://github.com/notifications/unsubscribe-auth/AN6MSGWGDTRJXO5T2RA4GFLTZ6NNNANCNFSM5BBKQHIA .
still same sec vuln issues with 8.3.0 - could you provide an updated version?
# npm audit report
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix`
node_modules/@nicolo-ribaudo/chokidar-2/node_modules/glob-parent
@nicolo-ribaudo/chokidar-2 <=2.1.8-no-fsevents.2
Depends on vulnerable versions of glob-parent
node_modules/@nicolo-ribaudo/chokidar-2
@babel/cli >=7.12.7
Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
node_modules/@babel/cli
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix`
node_modules/get-pkg-repo/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/get-pkg-repo/node_modules/meow
5 vulnerabilities (3 moderate, 2 high)
To address all issues, run:
npm audit fix
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.
This issue was closed because it has been stalled for 30 days with no activity.
Ran grype(https://github.com/anchore/grype) scan against latest release 8.2.2 and git following results
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY base 0.11.2 CVE-2014-2980 Medium base 0.11.2 CVE-2009-4590 Medium base 0.11.2 CVE-2009-4591 High base 0.11.2 CVE-2009-4592 High cookie 0.4.0 CVE-2017-18589 High dot-prop 4.2.1 CVE-2020-8116 High editor 1.0.0 CVE-2015-0903 High formidable 1.2.2 CVE-2019-15780 Critical fresh 0.5.2 CVE-2013-1779 Low ftp 0.3.10 CVE-1999-0082 High ftp 0.3.10 CVE-1999-0201 Medium glob-parent 3.1.0 5.1.2 GHSA-ww39-953v-wcq6 High glob-parent 3.1.0 CVE-2020-28469 High jose 1.28.1 CVE-2021-29444 Medium jose 1.28.1 CVE-2021-29445 Medium jose 1.28.1 CVE-2021-29446 Medium path-parse 1.0.6 CVE-2021-23343 High rc 1.2.8 CVE-2014-1936 High rc 1.2.8 CVE-2020-17753 Medium slash 2.0.0 CVE-2002-1647 Medium slash 3.0.0 CVE-2002-1647 Medium through 2.3.8 CVE-2021-29940 Critical
Can you please advice on all High and critical severity vulnerabilities reported? I understand ftp, rc , editor and cookie related are false positives.