High severity vulnerabilities on 8.5.0

[jmoyano-koa]

Hello,

current 8.5.0 has to High and Critical vulnerable dependencies as per our scans. See attached console output.

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock     -v ${PWD}/cache:/root/.cache/ aquasec/trivy:0.21.1 ghcr.io/external-secrets/kubernetes-external-secrets:8.5.0
2021-12-31T12:07:20.799Z	INFO	Detected OS: alpine
2021-12-31T12:07:20.799Z	INFO	Detecting Alpine vulnerabilities...
2021-12-31T12:07:20.800Z	INFO	Number of language-specific files: 1
2021-12-31T12:07:20.800Z	INFO	Detecting node-pkg vulnerabilities...

ghcr.io/external-secrets/kubernetes-external-secrets:8.5.0 (alpine 3.14.3)
==========================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

Vulnerable packages are in:

"CVE-2021-3807","ansi-regex","usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json","3.0.0","5.0.1, 6.0.1"
"CVE-2021-3807","ansi-regex","usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json","4.1.0","5.0.1, 6.0.1"
"CVE-2021-3918","json-schema","usr/local/lib/node_modules/npm/node_modules/json-schema/package.json","0.2.3","0.4.0"

Is this deployment vulnerable. Has it been evaluated? Didn't found any issue or security advisory on this.

[Flydiverny]

ansi-regex is used in dev dependencies.
Don't see 3.0.0 or 4.1.0 in the tree tho. There is a transitive dependency with version 2.1.1 and the rest are resolving 5.0.1

❯ npm ls ansi-regex
[email protected] /home/flydiverny/Code/github/kubernetes-external-secrets
├─┬ @ibm-cloud/[email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected]
├─┬ [email protected]
│ ├─┬ [email protected]
│ │ └─┬ [email protected]
│ │   └─┬ [email protected]
│ │     └── [email protected]
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ ├─┬ [email protected]
│   │ │ └── [email protected]
│   │ └─┬ [email protected]
│   │   └─┬ [email protected]
│   │     └── [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     ├─┬ [email protected]
│     │ └─┬ [email protected]
│     │   └─┬ [email protected]
│     │     └── [email protected]
│     ├─┬ [email protected]
│     │ └─┬ [email protected]
│     │   └── [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └─┬ [email protected]
│           └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

for json-schema #891

[Flydiverny]

8.5.1 released with bumped json-schema

[Flydiverny]

Also see #864

[jmoyano-koa]

Hi @Flydiverny,

thanks for solving the issue with json-schema.
Related to ansi-regex libraries, both affected libraries are global from the alpine base image I think:
"usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json","3.0.0"
"usr/local/lib/node_modules/npm/node_modules/yargs/node_modules/ansi-regex/package.json","4.1.0"

Although I'm not able to find a non vulnerable version...

Kind regards,

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.