docker-nginx-fpm-alpine icon indicating copy to clipboard operation
docker-nginx-fpm-alpine copied to clipboard

Published 20 hours ago verified publisher icon PrivateBin

Add Anchor security scan

Open rugk opened this issue 3 years ago • 4 comments

The tool seems to cover JS, which is useful for us and standard container dependencies.

https://github.com/anchore/grype

rugk avatar Jun 04 '21 22:06 rugk

I think what it tries to tell is that it looks at the package.json, sees the version as 1.3.0 and therefore assumes we are affected by the CVE we published on that release. I checked and it seems that we indeed forgot to increment the version string in that file, probably in the 1.3.1 release. I now use sed to match and replace these numbers during publication, but I seem to have omitted that file. I'll change package.json and Makefile in master and we could add this check added after the next release got published.

Edit: Fixed in https://github.com/PrivateBin/PrivateBin/commit/a2ffbafa136fb8db83e956c2a63f4974f9f6103f

elrido avatar Jun 05 '21 07:06 elrido

Great. Note that in order to increment the package.json you can also use the npm version command… :slightly_smiling_face:

rugk avatar Jun 06 '21 15:06 rugk

Re-triggered this thiny (via a simple merge), so let's see how the situation may have improved since our last try… :upside_down_face:

rugk avatar Feb 28 '22 22:02 rugk

Error: Failed minimum severity level. Found vulnerabilities with level medium or higher

Well nice, but where/how/where are these? :sweat_smile:

Also in GitHubs advanced code scanning tab I could find nothing

rugk avatar Feb 28 '22 22:02 rugk