Description
What is your suggestion?
We evaluate coder in a high security offline environment. For that, we scanned our workspace image with code-server preinstalled with trivy. There were crititcal CVEs found but we think that they are false positives. Can you please confirm that? This could be added to the docs too.
We found the handlebars CVEs cve-2019-19919, cve-2021-23369, cve-2021-23383 in code-server/lib/code-server-4.13.0/lib/vscode/extensions/handlebars/package.json
We think that Trivy is misled by the name of this component and thinks that it refers to handlebars on npm and not to the vs-code plugin with the same name.
How will this improve the docs?
Security-oriented teams like us will benefit from that because they can forward the false-positive list to their security team to still get the permission to use the software.
Can you confirm that CVEs are false-positives, so that we can forward that to the security team responsible for us?