Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE alert (ansi-regex js) #134

Open
benjimin opened this issue Nov 2, 2021 · 3 comments
Open

CVE alert (ansi-regex js) #134

benjimin opened this issue Nov 2, 2021 · 3 comments

Comments

@benjimin
Copy link
Collaborator

benjimin commented Nov 2, 2021

Currently the automatic vulnerability checker is issuing an alert regarding ansi-regex < 5.0.1.

This is a node package (more motivation for #128); canvas requires gauge, and at present the latest version of gauge indirectly requires a vulnerable version of ansi-regex. Attempted running npm audit fix to no avail. Presumably need to wait for this to be fixed upstream: npm/gauge#135

Not expecting any security impact, because our use of node is to render an image from data generated by the application (not supplied by the untrusted end client).

$ npm list ansi-regex  # check what versions currently installed
code@ /code
├─┬ [email protected]
│ └─┬ @mapbox/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ ├─┬ [email protected]
│   │ │ └── [email protected]
│   │ └─┬ [email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

$ npm view gauge version  # check if newer version exists yet
3.0.1
$ npm view strip-ansi version
7.0.1
@benjimin benjimin changed the title CVE check fails (ansi-regex js) CVE scan noise (ansi-regex js) Nov 2, 2021
@benjimin benjimin changed the title CVE scan noise (ansi-regex js) CVE alert (ansi-regex js) Nov 2, 2021
@benjimin
Copy link
Collaborator Author

Seems to have been fixed upstream (with a major/breaking release of gauge, but whatevs). Our image presently contains only version 5.0.1 of ansi-regex, so npm audit is now happy.

@benjimin
Copy link
Collaborator Author

But, looks like CVE scanner continuing to fail because of docker cache (integrated into github action) continuing to reuse old version. (This is why --no-cache is important..)

@benjimin benjimin mentioned this issue Nov 30, 2021
Closed
@benjimin
Copy link
Collaborator Author

Updated scan to pull latest image, rather than build from scratch. I think this is more appropriate (regularly scan the deployed image, which may drift from a fresh re-build) and faster.

Still failing scan because:

  • Base image has a current libc vulnerability
  • Residual node bootstrapping (i.e. the global installs of both n and node) has old version of ansi-regex.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@benjimin