trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

After npm aduit fix, trivy still have the same vulnerabilities in html report

Open kamil1027 opened this issue 3 years ago • 4 comments

image1 Using minimist 1.2.5

After npm aduit fix image2 Using minimist 1.2.6

image3

In the report, it displays the 1.2.5 version of minimist. In my opinion, if i use npm aduit fix, there should not display the minimist because it had already fixed by npm aduit fix

kamil1027 avatar Jun 21 '22 06:06 kamil1027

Hello @kamil1027 Thank for your report!

If i understand correctly nmp audit fix doesn't fix dependencies in yarn.lock files(https://stackoverflow.com/questions/51732435/is-there-a-yarn-alternative-for-npm-audit).

Your report contains vulnerabilities from yarn.lock file. Path to file you be found using -format json flag(Target field). For example:

➜ trivy fs -f json . 
2022-06-27T12:23:00.547+0600	INFO	Vulnerability scanning is enabled
2022-06-27T12:23:00.547+0600	INFO	Secret scanning is enabled
2022-06-27T12:23:00.547+0600	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-27T12:23:00.547+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.29.1/docs/secret/scanning/#recommendation for faster secret detection
2022-06-27T12:23:00.548+0600	INFO	Number of language-specific files: 1
2022-06-27T12:23:00.548+0600	INFO	Detecting yarn vulnerabilities...
{
  ...

  "Results": [
    {
      "Target": "test/yarn.lock",
      "Class": "lang-pkgs",
      "Type": "yarn",

  ...

Can you check your yarn.lock file?

Regards, Dmitriy

DmitriyLewen avatar Jun 27 '22 06:06 DmitriyLewen

In yarn.lock file, some of dependencies have been upgraded to the safe version. Dependency example: minimist

image

However, some dependencies have not upgrade. Jusk like image image

I think that this question should be caused by the dependency version. If i need to use the package with a outdate and risk version, there is no any actions that i can do. The only action should be waiting for the package owner updating the package dependencies to a safe version.

That is my consideration about the question. Sorry for late.

kamil1027 avatar Jul 04 '22 04:07 kamil1027

I think you can try to convert package-lock.json file into yarn.lock: https://stackoverflow.com/a/60878037. This may solve your problem.

DmitriyLewen avatar Jul 04 '22 04:07 DmitriyLewen

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Sep 03 '22 00:09 github-actions[bot]