Comments (5)
I created pnpm/spec#6 about specification for lockfile v9.
from trivy.
Hello @svrnwnsch
https://github.com/aquasecurity/trivy/milestone/34
from trivy.
One issue I've noticed is that Trivy is treating all @types/[package] entries as if they are the package.
For example, with lockfileVersion: '6.0'
the YAML for nodemailer and @types/nodemailer are:
packages:
/@types/[email protected]:
resolution: {integrity: sha512-fUWthHO9k9DSdPCSPRqcu6TWhYyxTBg382vlNIttSe9M7XfsT06y0f24KHXtbnijPGGRIcVvdKHTNikOI6qiHA==}
dependencies:
'@types/node': 20.12.4
dev: true
/[email protected]:
resolution: {integrity: sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==}
engines: {node: '>=6.0.0'}
dev: false
Trivy does not detect any problems with these packages. But with lockfileVersion: '9.0'
, the YAML has become
packages:
'@types/[email protected]':
resolution: {integrity: sha512-fUWthHO9k9DSdPCSPRqcu6TWhYyxTBg382vlNIttSe9M7XfsT06y0f24KHXtbnijPGGRIcVvdKHTNikOI6qiHA==}
[email protected]:
resolution: {integrity: sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==}
engines: {node: '>=6.0.0'}
snapshots:
'@types/[email protected]':
dependencies:
'@types/node': 20.12.7
[email protected]: {}
When Trivy runs on this file, the output includes
├────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ nodemailer │ CVE-2020-7769 │ CRITICAL │ │ 6.4.14 │ 6.4.16 │ This affects the package nodemailer before 6.4.16. Use of │
│ │ │ │ │ │ │ crafted reci ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7769 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-23400 │ MEDIUM │ │ │ 6.6.1 │ The package nodemailer before 6.6.1 are vulnerable to HTTP │
│ │ │ │ │ │ │ Header Inje ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23400 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-9h6g-pr28-7cqp │ │ │ │ 6.9.9 │ nodemailer ReDoS when trying to send a specially crafted │
│ │ │ │ │ │ │ email │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-9h6g-pr28-7cqp │
└────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘
from trivy.
Am I right that there should be a check added for the version arround:
from trivy.
Very nice to see that the next version will support the new pnpm lock format. Is there already some estimation when this might be released?
from trivy.
Related Issues (20)
- golang binary version parsing fails if GOEXPERIMENT was enabled
- fix: scan `.git/config` for secrets
- feat(pip): line number support
- bug(gobinary): incorrect ldflags parsing when `version` part has prefix HOT 8
- feat(pip): license support
- node-collector: CVE-2023-24538 ,CVE-2023-24540
- bug(gobinaries): empty Package for gobinaries without main information
- unexpected severity if `nvd` and `source` don't have severity for vulnerability HOT 5
- Some terraform files getting ignored HOT 1
- Some terraform files getting ignored HOT 1
- Trivy client server mode not scanning secrets exposed in image, Trivy standalone works
- feat(misconf): resolve tf module from OpenTofu compatible registry
- Trivy Node scan can't parse package.json when `latest` is used as a package version
- fix(pip): Validate package names and versions
- feat(cloudformation): add support for AWS::EC2::SecurityGroupIngress/Egress
- Opt out of misconfig for specific k8s role HOT 1
- feat(terraform): support for VPC resources for inbound and outbound rules
- Release trivy_0.51.3_Linux-64bit binary is broken HOT 11
- fix(checks): AVD-DS-0015 FP about yum clean all missed
- segmentation violation when running trivy in convert mode
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trivy.