search

jbenden / vscode-c-cpp-flylint

A VS Code extension for advanced, modern, static analysis of C/C++ that supports a number of back-end analyzer programs.
MIT License
152 stars 29 forks source link

cc-test-reporter "leaked" into extension installation directory #224

Open 0xg0nz0 opened 2 months ago

0xg0nz0 commented 2 months ago

I don't think this is intentional:

$ ls ~/.vscode-server/extensions/jbenden.c-cpp-flylint-1.15.0
C-Cpp-FlyLint_icon.png  cc-test-reporter  CHANGELOG.md  client  codeclimate.ubuntu-latest-node16.json  coverage  LICENSES  LICENSE.txt  package.json  README.md  server  specs  typings.d.ts

and likely because CI/CD downloads and installs it with curl but does not delete. That binary is showing up with a ton of old Go package vulnerabilities in grype:

$ grype sbom:syft.json | grep Critical
 ✔ Vulnerability DB                [no update available]  
 ✔ Scanned for vulnerabilities     [127 vulnerability matches]  
   ├── by severity: 13 critical, 57 high, 33 medium, 1 low, 0 negligible (23 unknown)
   └── by status:   33 fixed, 94 not-fixed, 0 ignored 
stdlib                 go1.15.15                                                                 go-module  CVE-2024-24790       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2023-29405       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2023-29404       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2023-29402       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2023-24540       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2023-24538       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2022-23806       Critical  
stdlib                 go1.15.15                                                                 go-module  CVE-2021-38297       Critical

I do not think this is unto itself a security issue since cc-test-reporter isn't run by the extension, but I think for good hygiene it should not be part of the distributed binary.