I run trivy on each docker build and I got an alert when building latest commit 8c1f0ce544c3fedb6ecf76451cab3d515b4ef4ee
The vulnerability IDs are CVE-2021-31597 and CVE-2020-28502. The offending package is xmlhttprequest-ssl located at theta-infrastructure-ledger-explorer/package-lock.json
Here is the log trivy gives:
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmlhttprequest-ssl | CVE-2020-28502 | HIGH | 1.5.3 | 1.6.2 | nodejs-xmlhttprequest: Code injection |
| | | | | | through user input to xhr.send |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28502 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmlhttprequest-ssl | CVE-2021-31597 | CRITICAL | 1.5.3 | 1.6.1 | xmlhttprequest-ssl: SSL certificate |
| | | | | | validation disabled by default |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-31597 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
I run trivy on each docker build and I got an alert when building latest commit
8c1f0ce544c3fedb6ecf76451cab3d515b4ef4eeThe vulnerability IDs are
CVE-2021-31597andCVE-2020-28502. The offending package isxmlhttprequest-ssllocated attheta-infrastructure-ledger-explorer/package-lock.jsonHere is the log trivy gives: