GottaBKD
commented
2 years ago Tested latest again recently and issues are still present... no sign of movement here
Closed GottaBKD closed 2 years ago
GottaBKD
commented
2 years ago Tested latest again recently and issues are still present... no sign of movement here
GottaBKD
commented
2 years ago @saikumarrs does not appear fixed
Testing rudderlabs/rudder-transformer:latest...
Tested 712 dependencies for known issues, found 21 issues.
Issues to fix by upgrading:
Upgrade axios@0.21.2 to axios@0.21.3 to fix
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-AXIOS-1579269] in axios@0.21.2
introduced by axios@0.21.2
Upgrade minimist@1.2.5 to minimist@1.2.6 to fix
✗ Prototype Pollution [Low Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795] in minimist@1.2.5
introduced by minimist@1.2.5 and 88 other path(s)
Upgrade moment@2.27.0 to moment@2.29.2 to fix
✗ Directory Traversal (new) [High Severity][https://snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.27.0
introduced by moment@2.27.0 and 2 other path(s)
Upgrade node-fetch@2.6.1 to node-fetch@2.6.7 to fix
✗ Information Exposure [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118] in node-fetch@2.6.1
introduced by node-fetch@2.6.1
Upgrade unset-value@2.0.0 to unset-value@2.0.1 to fix
✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@2.0.0
introduced by unset-value@2.0.0
Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@5.0.0
introduced by rudder-transformer-cdk@1.1.1 > jest@27.5.1 > @jest/core@27.5.1 > strip-ansi@6.0.0 > ansi-regex@5.0.0 and 11 other path(s)
This issue was fixed in versions: 6.0.1, 5.0.1
✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-INI-1048974] in ini@1.3.5
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > rc@1.2.8 > ini@1.3.5
This issue was fixed in versions: 1.3.6
✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in minimist@1.2.0
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > mkdirp@0.5.1 > minimist@0.0.8 and 2 other path(s)
This issue was fixed in versions: 0.2.1, 1.2.3
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-PROMPTS-1729737] in prompts@2.3.2
introduced by rudder-transformer-cdk@1.1.1 > jest@27.5.1 > jest-cli@27.5.1 > prompts@2.3.2
This issue was fixed in versions: 2.4.2
✗ Arbitrary File Overwrite [High Severity][https://snyk.io/vuln/SNYK-JS-TAR-1536528] in tar@4.4.8
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > tar@4.4.8
This issue was fixed in versions: 3.2.3, 4.4.15, 5.0.7, 6.1.2
✗ Arbitrary File Overwrite [High Severity][https://snyk.io/vuln/SNYK-JS-TAR-1536531] in tar@4.4.8
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > tar@4.4.8
This issue was fixed in versions: 3.2.2, 4.4.14, 5.0.6, 6.1.1
✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/SNYK-JS-TAR-1536758] in tar@4.4.8
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > tar@4.4.8
This issue was fixed in versions: 6.1.4, 5.0.8, 4.4.16
✗ Arbitrary File Write [High Severity][https://snyk.io/vuln/SNYK-JS-TAR-1579147] in tar@4.4.8
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > tar@4.4.8
This issue was fixed in versions: 6.1.7, 5.0.8, 4.4.16
✗ Arbitrary File Write [High Severity][https://snyk.io/vuln/SNYK-JS-TAR-1579152] in tar@4.4.8
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > tar@4.4.8
This issue was fixed in versions: 6.1.9, 5.0.10, 4.4.18
✗ Arbitrary File Write [High Severity][https://snyk.io/vuln/SNYK-JS-TAR-1579155] in tar@4.4.8
introduced by prometheus-gc-stats@0.6.3 > gc-stats@1.4.0 > node-pre-gyp@0.13.0 > tar@4.4.8
This issue was fixed in versions: 6.1.9, 5.0.10, 4.4.18
✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251] in uglify-js@3.13.5
introduced by handlebars@4.7.7 > uglify-js@3.13.5 and 1 other path(s)
This issue was fixed in versions: 3.14.3
✗ Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-URIJS-2401466] in urijs@1.19.7
introduced by koa-router@7.4.0 > urijs@1.19.7
This issue was fixed in versions: 1.19.8
✗ Improper Input Validation [Medium Severity][https://snyk.io/vuln/SNYK-JS-URIJS-2415026] in urijs@1.19.7
introduced by koa-router@7.4.0 > urijs@1.19.7
This issue was fixed in versions: 1.19.9
✗ Open Redirect [Medium Severity][https://snyk.io/vuln/SNYK-JS-URIJS-2419067] in urijs@1.19.7
introduced by koa-router@7.4.0 > urijs@1.19.7
This issue was fixed in versions: 1.19.10
✗ Misinterpretation of Input [Medium Severity][https://snyk.io/vuln/SNYK-JS-URIJS-2440699] in urijs@1.19.7
introduced by koa-router@7.4.0 > urijs@1.19.7
This issue was fixed in versions: 1.19.11
✗ Cross-site Scripting (XSS) [Medium Severity][https://snyk.io/vuln/SNYK-JS-URIJS-2441239] in urijs@1.19.7
introduced by koa-router@7.4.0 > urijs@1.19.7
This issue was fixed in versions: 1.19.11
Organization: karl.dagenais
Package manager: npm
Target file: /home/node/app/package.json
Project name: rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Licenses: enabled
Tested 3 projects, 2 contained vulnerable paths.severe vulns still present
sanpj2292
commented
2 years ago @GottaBKD, The testing is going on, we'd be able to push these vulnerabilities soon.
saikumarrs
commented
2 years ago @GottaBKD Firstly, thank you for bringing this to our attention. Please expect these things to be fixed by next week. Thank you for being so patient.
GottaBKD
commented
2 years ago Thanks guys
GottaBKD
commented
2 years ago I'm not sure what I'm missing, but scans are showing vulnerabilities still present
Testing rudderlabs/rudder-transformer:latest...
Tested 712 dependencies for known issues, found 21 issues.Can you confirm @saikumarrs , or, @sanpj2292, please
sanpj2292
commented
2 years ago @GottaBKD , I ran the below command & I got the below output.
$ docker scan rudderlabs/rudder-transformer:latest
Testing rudderlabs/rudder-transformer:latest...
Organization: rudderlabs
Package manager: apk
Project name: docker-image|rudderlabs/rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Platform: linux/amd64
Base image: node:14.19.0-alpine3.15
Licenses: enabled
✔ Tested 39 dependencies for known issues, no vulnerable paths found.
Your base image is out of date
1) Pull the latest version of your base image by running 'docker pull node:14.19.0-alpine3.15'
2) Rebuild your local image
-------------------------------------------------------
Testing rudderlabs/rudder-transformer:latest...
Organization: rudderlabs
Package manager: npm
Target file: /home/node/app/data/package.json
Project name: rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Licenses: enabled
✔ Tested 1 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing rudderlabs/rudder-transformer:latest...
Organization: rudderlabs
Package manager: npm
Target file: /home/node/app/package.json
Project name: rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Licenses: enabled
✔ Tested 662 dependencies for known issues, no vulnerable paths found.
Tested 3 projects, no vulnerable paths were found.Can you tell me what command did you run ?
GottaBKD
commented
2 years ago It's very strange I am not getting the same output from the same command..
docker scan rudderlabs/rudder-transformer:latest
Testing rudderlabs/rudder-transformer:latest...
------------ Detected 9 vulnerabilities for @.*** ------------
✗ Low severity vulnerability found in node Description: Improper Input Validation Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-1540539 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.17.5
✗ Low severity vulnerability found in node Description: Prototype Pollution Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-2332186 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.18.3
✗ Medium severity vulnerability found in node Description: Improper Input Validation Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-1540538 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.17.5
✗ Medium severity vulnerability found in node Description: HTTP Request Smuggling Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-1731310 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.18.1
✗ Medium severity vulnerability found in node Description: HTTP Request Smuggling Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-1731312 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.18.1
✗ Medium severity vulnerability found in node Description: Improper Certificate Validation Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-2332185 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.18.3
✗ Medium severity vulnerability found in node Description: Improper Certificate Validation Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-2332191 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.18.3
✗ Medium severity vulnerability found in node Description: Improper Handling of URL Encoding Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-2332192 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.18.3
✗ High severity vulnerability found in node Description: Use After Free Info: https://snyk.io/vuln/SNYK-UPSTREAM-NODE-1540540 Introduced through: @. From: @. Image layer: Introduced by your base image (node:14.17.4-alpine3.14) Fixed in: 14.17.5
Organization: karl.dagenais Package manager: apk Project name: docker-image|rudderlabs/rudder-transformer Docker image: rudderlabs/rudder-transformer:latest Platform: linux/amd64 Base image: node:14.17.4-alpine3.14 Licenses: enabled
Tested 39 dependencies for known issues, found 9 issues.
Your base image is out of date 1) Pull the latest version of your base image by running 'docker pull node:14.17.4-alpine3.14' 2) Rebuild your local image
Testing rudderlabs/rudder-transformer:latest...
Organization: karl.dagenais Package manager: npm Target file: /home/node/app/data/package.json Project name: rudder-transformer Docker image: rudderlabs/rudder-transformer:latest Licenses: enabled
✔ Tested 1 dependencies for known issues, no vulnerable paths found.
Testing rudderlabs/rudder-transformer:latest...
Tested 712 dependencies for known issues, found 21 issues.
Issues to fix by upgrading:
Upgrade @. to @. to fix ✗ Regular Expression Denial of Service (ReDoS) [High Severity][ https://snyk.io/vuln/SNYK-JS-AXIOS-1579269] in @. introduced by @.
Upgrade @. to @. to fix ✗ Prototype Pollution [Low Severity][ https://snyk.io/vuln/SNYK-JS-MINIMIST-2429795] in @. introduced by @. and 88 other path(s)
Upgrade @. to @. to fix ✗ Directory Traversal (new) [High Severity][ https://snyk.io/vuln/SNYK-JS-MOMENT-2440688] in @. introduced by @. and 2 other path(s)
Upgrade @. to @. to fix ✗ Information Exposure [Medium Severity][ https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118] in @. introduced by @.
Upgrade @. to @. to fix ✗ Prototype Pollution [High Severity][ https://snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in @. introduced by @.
Issues with no direct upgrade or patch: ✗ Regular Expression Denial of Service (ReDoS) [High Severity][ https://snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in @. introduced by @. > @. > @@. > @. > @. and 11 other path(s) This issue was fixed in versions: 6.0.1, 5.0.1 ✗ Prototype Pollution [High Severity][ https://snyk.io/vuln/SNYK-JS-INI-1048974] in @. introduced by @. > @. > @. > @. > @. This issue was fixed in versions: 1.3.6 ✗ Prototype Pollution [Medium Severity][ https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in @. introduced by @. > @. > @. > @. > @. and 2 other path(s) This issue was fixed in versions: 0.2.1, 1.2.3 ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][ https://snyk.io/vuln/SNYK-JS-PROMPTS-1729737] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 2.4.2 ✗ Arbitrary File Overwrite [High Severity][ https://snyk.io/vuln/SNYK-JS-TAR-1536528] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 3.2.3, 4.4.15, 5.0.7, 6.1.2 ✗ Arbitrary File Overwrite [High Severity][ https://snyk.io/vuln/SNYK-JS-TAR-1536531] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 3.2.2, 4.4.14, 5.0.6, 6.1.1 ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][ https://snyk.io/vuln/SNYK-JS-TAR-1536758] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 6.1.4, 5.0.8, 4.4.16 ✗ Arbitrary File Write [High Severity][ https://snyk.io/vuln/SNYK-JS-TAR-1579147] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 6.1.7, 5.0.8, 4.4.16 ✗ Arbitrary File Write [High Severity][ https://snyk.io/vuln/SNYK-JS-TAR-1579152] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 6.1.9, 5.0.10, 4.4.18 ✗ Arbitrary File Write [High Severity][ https://snyk.io/vuln/SNYK-JS-TAR-1579155] in @. introduced by @. > @. > @. > @. This issue was fixed in versions: 6.1.9, 5.0.10, 4.4.18 ✗ Regular Expression Denial of Service (ReDoS) [Medium Severity][ https://snyk.io/vuln/SNYK-JS-UGLIFYJS-1727251] in @. introduced by @. > @. and 1 other path(s) This issue was fixed in versions: 3.14.3 ✗ Open Redirect [Medium Severity][ https://snyk.io/vuln/SNYK-JS-URIJS-2401466] in @. introduced by @. > @. This issue was fixed in versions: 1.19.8 ✗ Improper Input Validation [Medium Severity][ https://snyk.io/vuln/SNYK-JS-URIJS-2415026] in @. introduced by @. > @. This issue was fixed in versions: 1.19.9 ✗ Open Redirect [Medium Severity][ https://snyk.io/vuln/SNYK-JS-URIJS-2419067] in @. introduced by @. > @. This issue was fixed in versions: 1.19.10 ✗ Misinterpretation of Input [Medium Severity][ https://snyk.io/vuln/SNYK-JS-URIJS-2440699] in @. introduced by @. > @. This issue was fixed in versions: 1.19.11 ✗ Cross-site Scripting (XSS) [Medium Severity][ https://snyk.io/vuln/SNYK-JS-URIJS-2441239] in @. introduced by @. > @.*** This issue was fixed in versions: 1.19.11
Organization: karl.dagenais Package manager: npm Target file: /home/node/app/package.json Project name: rudder-transformer Docker image: rudderlabs/rudder-transformer:latest Licenses: enabled
Tested 3 projects, 2 contained vulnerable paths.
On Wed, May 4, 2022 at 11:34 AM Sankeerth @.***> wrote:
@GottaBKD https://github.com/GottaBKD , I ran the below command & I got the below output.
$ docker scan rudderlabs/rudder-transformer:latest
Testing rudderlabs/rudder-transformer:latest...
Organization: rudderlabs
Package manager: apk
Project name: docker-image|rudderlabs/rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Platform: linux/amd64
Base image: node:14.19.0-alpine3.15
Licenses: enabled
✔ Tested 39 dependencies for known issues, no vulnerable paths found.
Your base image is out of date
1) Pull the latest version of your base image by running 'docker pull node:14.19.0-alpine3.15'
2) Rebuild your local image
Testing rudderlabs/rudder-transformer:latest...
Organization: rudderlabs
Package manager: npm
Target file: /home/node/app/data/package.json
Project name: rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Licenses: enabled
✔ Tested 1 dependencies for known issues, no vulnerable paths found.
Testing rudderlabs/rudder-transformer:latest...
Organization: rudderlabs
Package manager: npm
Target file: /home/node/app/package.json
Project name: rudder-transformer
Docker image: rudderlabs/rudder-transformer:latest
Licenses: enabled
✔ Tested 662 dependencies for known issues, no vulnerable paths found.
Tested 3 projects, no vulnerable paths were found.
Can you tell me what command did you run ?
— Reply to this email directly, view it on GitHub https://github.com/rudderlabs/rudder-transformer/issues/1061#issuecomment-1117498946, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUSFEQTAKDZB2JJIJ7TBC4TVIKKJ7ANCNFSM5Q7PFZ6Q . You are receiving this because you were mentioned.Message ID: @.***>
sanpj2292
commented
2 years ago May be the image cached in local is being used when you try to scan using docker Can you try to delete the existing image in your local and then try to do a scan ?
GottaBKD
commented
2 years ago thank you again. all good.
On Wed, May 4, 2022 at 12:33 PM Sankeerth @.***> wrote:
May be the image cached in local is being used when you try to scan using docker Can you try to delete the existing image in your local and then try to do a scan ?
— Reply to this email directly, view it on GitHub https://github.com/rudderlabs/rudder-transformer/issues/1061#issuecomment-1117563579, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUSFEQSM43E5KOLOCWRMGJTVIKRG3ANCNFSM5Q7PFZ6Q . You are receiving this because you were mentioned.Message ID: @.***>
Describe the bug
Steps to reproduce the bug
docker scan rudderlabs/rudder-transformer:latestExpected behavior no high or critical sev vulns in results
Screenshots n/a