Skip to content

[Docs]: list of false-postive CVEs (critical handlebars CVEs) #6332

Open
@alexander-dammeier

Description

@alexander-dammeier

What is your suggestion?

We evaluate coder in a high security offline environment. For that, we scanned our workspace image with code-server preinstalled with trivy. There were crititcal CVEs found but we think that they are false positives. Can you please confirm that? This could be added to the docs too.

We found the handlebars CVEs cve-2019-19919, cve-2021-23369, cve-2021-23383 in code-server/lib/code-server-4.13.0/lib/vscode/extensions/handlebars/package.json
We think that Trivy is misled by the name of this component and thinks that it refers to handlebars on npm and not to the vs-code plugin with the same name.

How will this improve the docs?

Security-oriented teams like us will benefit from that because they can forward the false-positive list to their security team to still get the permission to use the software.

Can you confirm that CVEs are false-positives, so that we can forward that to the security team responsible for us?

Metadata

Metadata

Assignees

No one assigned

    Labels

    docsDocumentation related

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions