Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nodejs@16.18.1-deb-1nodesource1 package contains security issues #45499

Closed
marcossv9 opened this issue Nov 17, 2022 · 1 comment
Closed

nodejs@16.18.1-deb-1nodesource1 package contains security issues #45499

marcossv9 opened this issue Nov 17, 2022 · 1 comment
Labels
wrong repo Issues that should be opened in another repository.

Comments

@marcossv9
Copy link

Version

v16.18.1

Platform

Linux 31c25ca4ff57 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

We have found these security issues while scanning containers using snyk tool:

snyk container test <our_ubuntu22:04_based_container> --policy-path=.snyk --severity-threshold=high

Testing <our_ubuntu22:04_based_container>...

✗ High severity vulnerability found in nodejs
  Description: Loop with Unreachable Exit Condition ('Infinite Loop')
  Info: https://snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2775540
  Introduced through: nodejs@16.18.1-deb-1nodesource1
  From: nodejs@16.18.1-deb-1nodesource1
  Image layer: 'apt-get install -y nodejs'

✗ High severity vulnerability found in nodejs
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2782481
  Introduced through: nodejs@16.18.1-deb-1nodesource1
  From: nodejs@16.18.1-deb-1nodesource1
  Image layer: 'apt-get install -y nodejs'



Organization:      myorg
Package manager:   deb
Project name:      docker-image|<our_ubuntu22:04_based_container>
Docker image:      <our_ubuntu22:04_based_container>
Platform:          linux/amd64
Base image:        ubuntu:22.04
Local Snyk policy: found
Licenses:          enabled

Tested 264 dependencies for known issues, found 2 issues.

According to our scan, you are currently using the most secure version of the selected base image

Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection

That's because we use latest ubuntu container as base, and then we install nodejs using:

RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
    && apt-get install -y nodejs

How often does it reproduce? Is there a required condition?

Every time we scan the container using snyk.

What is the expected behavior?

After we run snyk container test command, the nodejs package should not contain any security issue.

What do you see instead?

See output above.

Additional information

There is no updated deb package for that version of nodejs, so we can't install a patched version of it.
Please see the available deb versions here

https://security.snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2782481
https://security.snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2775540
@cjihrig
Copy link
Contributor

cjihrig commented Nov 17, 2022

Please open this on the NodeSource repo (I think it's https://github.com/nodesource/distributions).

@cjihrig cjihrig closed this as completed Nov 17, 2022
@Trott Trott added the wrong repo Issues that should be opened in another repository. label Nov 17, 2022
@marcossv9 marcossv9 mentioned this issue Dec 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wrong repo Issues that should be opened in another repository.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Trott @cjihrig @marcossv9