Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container vulnerability scanner fails on wis2box-webapp #705

Closed
maaikelimper opened this issue Jun 26, 2024 · 1 comment
Closed

container vulnerability scanner fails on wis2box-webapp #705

maaikelimper opened this issue Jun 26, 2024 · 1 comment
Assignees
@maaikelimper @david-i-berry @RoryPTB
Labels
security Security
Milestone
sprint-016

Comments

@maaikelimper
Copy link
Collaborator 

ghcr.io/wmo-im/wis2box-webapp:latest (alpine 3.20.0)
====================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│                      Library                       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ @apidevtools/json-schema-ref-parser (package.json) │ CVE-2024-29651 │ HIGH     │ fixed  │ 11.1.0            │ 11.2.0        │ json-schema-ref-parser: Prototype pollution issue      │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-29651             │
├────────────────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ braces (package.json)                              │ CVE-2024-4068  │          │        │ 3.0.2             │ 3.0.3         │ braces: fails to limit the number of characters it can │
│                                                    │                │          │        │                   │               │ handle                                                 │
│                                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4068              │
└────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

wis2box-webapp/node_modules/@esbuild/linux-x64/bin/esbuild (gobinary)
=====================================================================
Total: 4 (HIGH: 3, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.5            │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39325 │ HIGH     │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45[28](https://github.com/wmo-im/wis2box/actions/runs/9644247386/job/26705514969?pr=699#step:6:29)3 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-[45](https://github.com/wmo-im/wis2box/actions/runs/9644247386/job/26705514969?pr=699#step:6:46)288                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

GHA result here https://github.com/wmo-im/wis2box/actions/runs/9644247386/job/26705514969?pr=699
@maaikelimper maaikelimper added the security Security label Jun 26, 2024
@maaikelimper maaikelimper added this to the sprint-015 milestone Jun 26, 2024
@RoryPTB RoryPTB mentioned this issue Jun 26, 2024
Merged
@tomkralidis
Copy link
Collaborator

In support of #652

@tomkralidis tomkralidis modified the milestones: sprint-015, sprint-016 Aug 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maaikelimper maaikelimper

@david-i-berry david-i-berry

@RoryPTB RoryPTB

Labels
security Security
Projects
None yet
Milestone
sprint-016
Development

No branches or pull requests
4 participants
@tomkralidis @maaikelimper @david-i-berry @RoryPTB