High severity vulnerabilities on 8.5.0

jmoyano-koa commented 2 years ago

Hello,

current 8.5.0 has to High and Critical vulnerable dependencies as per our scans. See attached console output.

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock     -v ${PWD}/cache:/root/.cache/ aquasec/trivy:0.21.1 ghcr.io/external-secrets/kubernetes-external-secrets:8.5.0
2021-12-31T12:07:20.799Z    INFO    Detected OS: alpine
2021-12-31T12:07:20.799Z    INFO    Detecting Alpine vulnerabilities...
2021-12-31T12:07:20.800Z    INFO    Number of language-specific files: 1
2021-12-31T12:07:20.800Z    INFO    Detecting node-pkg vulnerabilities...

ghcr.io/external-secrets/kubernetes-external-secrets:8.5.0 (alpine 3.14.3)
==========================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

Vulnerable packages are in:

"CVE-2021-3807","ansi-regex","usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json","3.0.0","5.0.1, 6.0.1"
"CVE-2021-3807","ansi-regex","usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json","4.1.0","5.0.1, 6.0.1"
"CVE-2021-3918","json-schema","usr/local/lib/node_modules/npm/node_modules/json-schema/package.json","0.2.3","0.4.0"

Is this deployment vulnerable. Has it been evaluated? Didn't found any issue or security advisory on this.

Flydiverny commented 2 years ago

ansi-regex is used in dev dependencies. Don't see 3.0.0 or 4.1.0 in the tree tho. There is a transitive dependency with version 2.1.1 and the rest are resolving 5.0.1

❯ npm ls ansi-regex
kubernetes-external-secrets@8.5.0 /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ @ibm-cloud/secrets-manager@0.1.1
│ └─┬ ibm-cloud-sdk-core@2.15.1
│   └─┬ expect@26.6.2
│     └─┬ jest-matcher-utils@26.6.2
│       └─┬ pretty-format@26.6.2
│         └── ansi-regex@5.0.1
├─┬ eslint@7.32.0
│ ├─┬ strip-ansi@6.0.1
│ │ └── ansi-regex@5.0.1
│ └─┬ table@6.7.2
│   └─┬ strip-ansi@6.0.1
│     └── ansi-regex@5.0.1
├─┬ mocha@8.4.0
│ ├─┬ wide-align@1.1.3
│ │ └─┬ string-width@1.0.2
│ │   └─┬ strip-ansi@3.0.1
│ │     └── ansi-regex@2.1.1
│ └─┬ yargs@16.2.0
│   ├─┬ cliui@7.0.4
│   │ ├─┬ strip-ansi@6.0.1
│   │ │ └── ansi-regex@5.0.1
│   │ └─┬ wrap-ansi@7.0.0
│   │   └─┬ strip-ansi@6.0.1
│   │     └── ansi-regex@5.0.1
│   └─┬ string-width@4.2.3
│     └─┬ strip-ansi@6.0.1
│       └── ansi-regex@5.0.1
├─┬ nodemon@2.0.13
│ └─┬ update-notifier@5.1.0
│   └─┬ boxen@5.1.2
│     ├─┬ ansi-align@3.0.1
│     │ └─┬ string-width@4.2.3
│     │   └─┬ strip-ansi@6.0.1
│     │     └── ansi-regex@5.0.1
│     ├─┬ string-width@4.2.3
│     │ └─┬ strip-ansi@6.0.1
│     │   └── ansi-regex@5.0.1
│     └─┬ widest-line@3.1.0
│       └─┬ string-width@4.2.3
│         └─┬ strip-ansi@6.0.1
│           └── ansi-regex@5.0.1
└─┬ nyc@15.1.0
  └─┬ yargs@15.4.1
    └─┬ cliui@6.0.0
      └─┬ strip-ansi@6.0.1
        └── ansi-regex@5.0.1

for json-schema #891

Flydiverny commented 2 years ago

8.5.1 released with bumped json-schema

Flydiverny commented 2 years ago

Also see #864

jmoyano-koa commented 2 years ago

Hi @Flydiverny,

thanks for solving the issue with json-schema. Related to ansi-regex libraries, both affected libraries are global from the alpine base image I think: "usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json","3.0.0" "usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json","4.1.0"

Although I'm not able to find a non vulnerable version...

Kind regards,

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] commented 2 years ago

This issue was closed because it has been stalled for 30 days with no activity.

external-secrets / kubernetes-external-secrets

High severity vulnerabilities on 8.5.0 #890