trivy
trivy copied to clipboard
aquasecurity
feat(pnpm): add support of Lockfile v9
Description
pnpm released lockfile v9 (see https://github.com/pnpm/pnpm/pull/7666, https://github.com/pnpm/pnpm/pull/7861).
We need to add support for this.
Discussed in https://github.com/aquasecurity/trivy/discussions/6503
I created https://github.com/pnpm/spec/issues/6 about specification for lockfile v9.
One issue I've noticed is that Trivy is treating all @types/[package] entries as if they are the package.
For example, with lockfileVersion: '6.0' the YAML for nodemailer and @types/nodemailer are:
packages:
/@types/[email protected]:
resolution: {integrity: sha512-fUWthHO9k9DSdPCSPRqcu6TWhYyxTBg382vlNIttSe9M7XfsT06y0f24KHXtbnijPGGRIcVvdKHTNikOI6qiHA==}
dependencies:
'@types/node': 20.12.4
dev: true
/[email protected]:
resolution: {integrity: sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==}
engines: {node: '>=6.0.0'}
dev: false
Trivy does not detect any problems with these packages. But with lockfileVersion: '9.0', the YAML has become
packages:
'@types/[email protected]':
resolution: {integrity: sha512-fUWthHO9k9DSdPCSPRqcu6TWhYyxTBg382vlNIttSe9M7XfsT06y0f24KHXtbnijPGGRIcVvdKHTNikOI6qiHA==}
[email protected]:
resolution: {integrity: sha512-7o38Yogx6krdoBf3jCAqnIN4oSQFx+fMa0I7dK1D+me9kBxx12D+/33wSb+fhOCtIxvYJ+4x4IMEhmhCKfAiOA==}
engines: {node: '>=6.0.0'}
snapshots:
'@types/[email protected]':
dependencies:
'@types/node': 20.12.7
[email protected]: {}
When Trivy runs on this file, the output includes
├────────────┼─────────────────────┼──────────┤ ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ nodemailer │ CVE-2020-7769 │ CRITICAL │ │ 6.4.14 │ 6.4.16 │ This affects the package nodemailer before 6.4.16. Use of │
│ │ │ │ │ │ │ crafted reci ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7769 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-23400 │ MEDIUM │ │ │ 6.6.1 │ The package nodemailer before 6.6.1 are vulnerable to HTTP │
│ │ │ │ │ │ │ Header Inje ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-23400 │
│ ├─────────────────────┤ │ │ ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-9h6g-pr28-7cqp │ │ │ │ 6.9.9 │ nodemailer ReDoS when trying to send a specially crafted │
│ │ │ │ │ │ │ email │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-9h6g-pr28-7cqp │
└────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘
Am I right that there should be a check added for the version arround: https://github.com/aquasecurity/trivy/blob/a5d485cf8a36f3f50b9fe4c3b58641eb364b8ed8/pkg/dependency/parser/nodejs/pnpm/parse.go#L56
Very nice to see that the next version will support the new pnpm lock format. Is there already some estimation when this might be released?
waiting for this as well. as it is fixed it would be nice to ship this instead of waiting for other features ;)
