seal-community / patches Goto Github PK

I am building a docker image and pushing it to AWS ECR. For Scanning i have enabled "Enhanced Scanning" with AWS Inspector. In scanning results i am getting "CVE-2023-42282 - ip" vulnerability.

In Remediation, i found:

Upgrade your installed software packages to the proposed fixed in version and release.
Update ip to 2.0.1

although i have installed [email protected] with npm install [email protected] in my nodeJS project but still the vulnerability exists.

I have tried the https://github.com/json5/json5/tree/v2.0.1 by:
Downloading the repo & patch.
Move the downloaded patch file (0001-CVE-2022-46175.patch) to the source code folder of json5.
Apply the patch: git apply 0001-CVE-2022-46175.patch
Pack it: npm pack (it creates a tgz file)
Installing the patch: npm install <path_to_package_tgz>

But still i am unable to remove the ip vulnerability. How can i fix it?

Hi Team,

Thanks for the great work you are doing by patching the (security) vulnerabilities in the open-source projects! 🎉👏🙏

One quick question: do you contribute these patches back to the vendors or just collect it here?

I've seen that in case of the ip npm package you proposed your fixes in a comment of a pull request that fixes the same problem in a different way.

However, in case of jackson-databind, I have not seen your proposed fixes in their repository. (Maybe I've missed the PR.)

I think, it would be a huge loss if your patches would be just laying around here without being contributed to the vendors, thereby helping their efforts of closing security loopholes and making the software ecosystem more secure and reliable.