Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-42282 An issue in NPM IP Package when scanning with trivy #2030

Closed
moshen-maverick opened this issue Feb 13, 2024 · 5 comments
Closed

CVE-2023-42282 An issue in NPM IP Package when scanning with trivy #2030

moshen-maverick opened this issue Feb 13, 2024 · 5 comments

Comments

@moshen-maverick
Copy link

Environment

  • Platform:
  • Docker Version:
  • Node.js Version:
  • Image Tag:
    node:20.11-alpine3.18
    node:20.11-alpine3.19
    node:21.6.1-alpine3.19

Expected Behavior

trivy image scan should pass

Current Behavior

trivy reports a high Severity CVE-2023-42282 for ip (package.json).
/usr/local/lib/node_modules/npm/node_modules/ip/package.json

This breaks our build.

Possible Solution

Steps to Reproduce

trivy image --format json node:20.11-alpine3.18

Additional Information
@SimenB
Copy link
Member

SimenB commented Feb 13, 2024

That needs to be fixed in ip, then adopted in npm, then npm must be updated in node. At that point the fix will trickle down to the docker image

@SimenB SimenB closed this as completed Feb 13, 2024
@moshen-maverick
Copy link
Author

But it looks like the IP project is not maintained anymore. Last commit was 2 years ago. You need to remove/replace the package.

@meyfa
Copy link

meyfa commented Feb 13, 2024

npm is a separate product and not maintained by Node.js, much less the Node.js Docker folks. You need to raise this with npm Inc.

@nschonni nschonni closed this as not planned Won't fix, can't repro, duplicate, stale Feb 13, 2024
@tom-applab
Copy link

tom-applab commented Feb 25, 2024
edited
Loading

Hi @SimenB @meyfa. I am still facing this issue and would appreciate your help and guidance.
From my analysis, the IP package used by the node image is version 2.0.0. Fix suggestions show that this vulnerability has been fixed for versions 1.1.9 and 2.0.1.
The base image I am using: node:20.11.0-bookworm-slim
If the fixes are rolled out, could you guide me to the best image or advice on how to patch this?
I tried manually updating the IP package in the Dockerfile, but it does not work and all of the variations of the node base image I checked (including 20.11.1) still show this vulnerability.

@nschonni
Copy link
Member

https://github.com/nodejs/docker-node/blob/main/SECURITY.md

@nodejs nodejs locked as resolved and limited conversation to collaborators Feb 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nschonni @SimenB @meyfa @moshen-maverick @tom-applab