-
Notifications
You must be signed in to change notification settings - Fork 6.3k
Is the Trivy Nightly Docker Scan not detecting any Node.js files? #7460
Unanswered
danilohorta
asked this question in
General
-
That would explain a large inconsistence between a local scan I'm doing versus what we see in the CI (https://github.com/coder/code-server/actions/runs/16988109535/job/48161316994).
Enter
trivy image --severity HIGH,CRITICAL --ignore-unfixed docker.io/codercom/code-server:latest
using trivy version 0.65.0 (or 0.64.1 as in the CI) and you will see:
Node.js (node-pkg)
Total: 20 (HIGH: 16, CRITICAL: 4)
┌────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114 │ CRITICAL │ fixed │ 1.103.0 │ 4.10.1 │ code-server vulnerable to Missing Origin Validation in │
│ │ │ │ │ │ │ WebSockets │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26114 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-3810 │ HIGH │ │ │ 3.12.0 │ Inefficient Regular Expression Complexity in code-server │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3810 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-47269 │ │ │ │ 4.99.4 │ code-server's session cookie can be extracted by having user │
│ │ │ │ │ │ │ visit specially crafted... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47269 │
├────────────────────────────┼─────────────────────┤ │ ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ diff (package.json) │ GHSA-h6ch-v84p-w6p9 │ │ │ 1.0.0 │ 3.5.0 │ Regular Expression Denial of Service (ReDoS) │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-h6ch-v84p-w6p9 │
├────────────────────────────┼─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ grunt (package.json) │ CVE-2020-7729 │ │ │ │ 1.3.0 │ The package grunt before 1.3.0 are vulnerable to Arbitrary │
│ │ │ │ │ │ │ Code Execut ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7729 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-1537 │ │ │ │ 1.5.3 │ gruntjs: race condition leading to arbitrary file write │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1537 │
├────────────────────────────┼─────────────────────┼──────────┤ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ handlebars (package.json) │ CVE-2019-19919 │ CRITICAL │ │ │ 4.3.0, 3.0.8 │ nodejs-handlebars: prototype pollution leading to remote │
│ │ │ │ │ │ │ code execution via crafted payloads │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-19919 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-23369 │ │ │ │ 4.7.7 │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with strict:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23369 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-23383 │ │ │ │ │ nodejs-handlebars: Remote code execution when compiling │
│ │ │ │ │ │ │ untrusted compile templates with compat:true option... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23383 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-20920 │ HIGH │ │ │ 3.0.8, 4.5.3 │ nodejs-handlebars: lookup helper fails to properly validate │
│ │ │ │ │ │ │ templates allowing for arbitrary JavaScript... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-20920 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-2cf5-4w76-r9qv │ │ │ │ 3.0.8, 4.5.2 │ Arbitrary Code Execution in handlebars │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-2cf5-4w76-r9qv │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-g9r4-xpmj-mj65 │ │ │ │ 3.0.8, 4.5.3 │ Prototype Pollution in handlebars │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-g9r4-xpmj-mj65 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ GHSA-q2c6-c6pm-g3gh │ │ │ │ │ Arbitrary Code Execution in handlebars │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-q2c6-c6pm-g3gh │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-q42p-pg8m-cqh6 │ │ │ │ 4.1.2, 4.0.14, 3.0.7 │ Prototype Pollution in handlebars │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-q42p-pg8m-cqh6 │
├────────────────────────────┼─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ ini (package.json) │ CVE-2020-7788 │ │ │ │ 1.3.6 │ nodejs-ini: Prototype pollution via malicious INI file │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7788 │
├────────────────────────────┼─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ json (package.json) │ CVE-2020-7712 │ │ │ │ 10.0.0 │ trentm/json vulnerable to command injection │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7712 │
├────────────────────────────┼─────────────────────┤ │ ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ npm (package.json) │ CVE-2018-7408 │ │ │ 1.0.1 │ 5.7.1 │ Incorrect Permission Assignment for Critical Resource in NPM │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-7408 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-16775 │ │ │ │ 6.13.3 │ npm: Symlink reference outside of node_modules folder │
│ │ │ │ │ │ │ through the bin field upon... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-16775 │
│ ├─────────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-16776 │ │ │ │ │ npm: Arbitrary file write via constructed entry in the │
│ │ │ │ │ │ │ package.json bin field... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-16776 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-16777 │ │ │ │ 6.13.4 │ npm: Global node_modules Binary Overwrite │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-16777 │
└────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘
usr/local/bin/fixuid (gobinary)
Total: 6 (HIGH: 5, CRITICAL: 1)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ v1.20.7 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-39325 │ HIGH │ │ │ 1.20.10, 1.21.3 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45283 │ │ │ │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │
│ │ │ │ │ │ │ prefix as... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45283 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-45288 │ │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-34156 │ │ │ │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
│ ├────────────────┤ │ │ ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-47907 │ │ │ │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47907 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Line 144 of Step 3 (https://github.com/coder/code-server/actions/runs/16988109535/job/48161316994) is telling that trivy detect only 1 language-specific files (2025年08月15日T10:25:56Z INFO Number of language-specific files num=1), while the above suggested command will report 2.
Does anybody have a clue why?
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 1 comment 1 reply
-
We did get alerts about usr/local/bin/fixuid but as far as I can tell, they are all unrelated (fixuid makes no network requests, for one thing). It seems to be marking everything Go-related, whether the program uses that thing or not.
The rest are false positives. See this for code-server, which we can prevent: #7071
And this for the rest, which I think we cannot prevent: #6332
Beta Was this translation helpful? Give feedback.
All reactions
1 reply
-
As for the actual question, whether that line indicates that our scan is skipping the package.json, I am not sure. Maybe something is misconfigured, or maybe it remembers that we dismissed those previously or that it already reported those to us or something.
Beta Was this translation helpful? Give feedback.
All reactions
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment