code-server icon indicating copy to clipboard operation
code-server copied to clipboard
verified publisher icon coder

[Docs]: list of false-postive CVEs (handlebars, etc)

Open alexander-dammeier opened this issue 2 years ago • 8 comments

What is your suggestion?

We evaluate coder in a high security offline environment. For that, we scanned our workspace image with code-server preinstalled with trivy. There were crititcal CVEs found but we think that they are false positives. Can you please confirm that? This could be added to the docs too.

We found the handlebars CVEs cve-2019-19919, cve-2021-23369, cve-2021-23383 in code-server/lib/code-server-4.13.0/lib/vscode/extensions/handlebars/package.json We think that Trivy is misled by the name of this component and thinks that it refers to handlebars on npm and not to the vs-code plugin with the same name.

How will this improve the docs?

Security-oriented teams like us will benefit from that because they can forward the false-positive list to their security team to still get the permission to use the software.

Can you confirm that CVEs are false-positives, so that we can forward that to the security team responsible for us?

alexander-dammeier avatar Jul 14 '23 11:07 alexander-dammeier

Ah yup, we have ran into this ourselves before (and with many others in lib/vscode/extensions). Your analysis is spot-on; that is indeed a false positive.

Adding this to the docs makes sense to me, maybe to SECURITY.md.

code-asher avatar Jul 14 '23 20:07 code-asher

Anchore Grype has the same problem with the custom handlebars as Trivy.

Here's the list of such detections for v4.16.1:


Package                           Version_Installed        Vulnerability_ID     .Severity  Locations_RealPath
handlebars                        1.0.0                    GHSA-765h-qjxv-5f44  Critical   /usr/lib/code-server/lib/vscode/extensions/handlebars/package.json
handlebars                        1.0.0                    GHSA-f2jv-r9rf-7988  Critical   /usr/lib/code-server/lib/vscode/extensions/handlebars/package.json
handlebars                        1.0.0                    GHSA-w457-6q6x-cgp9  Critical   /usr/lib/code-server/lib/vscode/extensions/handlebars/package.json

mirekphd avatar Aug 15 '23 15:08 mirekphd

More importantly, critical vulnerabilities are also detected in the vm2 node module used in v4.16.1:

vm2                               3.9.19                   GHSA-cchq-frgv-rjh5  Critical   /usr/lib/code-server/node_modules/vm2/package.json
vm2                               3.9.19                   GHSA-g644-9gfx-q4q4  Critical   /usr/lib/code-server/node_modules/vm2/package.json

Due to them the vm2 NPM package will be discontinued. I've opened a separate issue with code-server (https://github.com/coder/code-server/issues/6387) to let us replace this vulnerable package here.

mirekphd avatar Aug 15 '23 16:08 mirekphd

Any actual solution to the handlebars issue being perused? I see the other vulnerability was addressed in #6387.

mjschmidt avatar Apr 15 '24 11:04 mjschmidt

The best we can do as far as work in this repo is to document in SECURITY.md that anything in the format lib/vscode/extensions/$name/package.json is a false positive. Unless Trivy becomes smarter about how it detects npm packages, I think it will always appear in security scans.

For folks using Trivy, maybe we can recommend something like trivy --skip-files "lib/vscode/extensions/*/package.json"? I have not tested that flag but it seems like it should work based on the documentation. https://aquasecurity.github.io/trivy/v0.50/docs/configuration/skipping/

code-asher avatar Apr 15 '24 20:04 code-asher

Oh also I just found https://github.com/aquasecurity/trivy/discussions/6112

code-asher avatar Apr 15 '24 21:04 code-asher