code-server icon indicating copy to clipboard operation
code-server copied to clipboard

Published 20 hours ago verified publisher icon coder

code version instead of code-server version stored in package.json file causing false positive Critical CVE detection

Open mirekphd opened this issue 1 year ago • 7 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

OS/Web Information

Local, remote OS: Ubuntu 22.04 Remote Architecture: amd64

$ code-server --version
4.95.1 344df3875fee5979b5fda0c6bf00778d0ef1be48 with Code 1.95.1

Steps to Reproduce

  1. Having installed latest code-server check its version using two methods:

a) the --version switch:

$ code-server --version
4.95.1 344df3875fee5979b5fda0c6bf00778d0ef1be48 with Code 1.95.1

versus:

b) the version stored in package.json:

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "1.95.1",
  "private": true,
  "dependencies": {
    "@microsoft/1ds-core-js": "^3.2.13",
    "@microsoft/1ds-post-js": "^3.2.13",
    "@parcel/watcher": "2.1.0",
    "@vscode/deviceid": "^0.1.1",
    "@vscode/iconv-lite-umd": "0.7.0",
    "@vscode/proxy-agent": "^0.22.0",
    "@vscode/ripgrep": "^1.15.9",
    "@vscode/spdlog": "^0.15.0",
    "@vscode/tree-sitter-wasm": "^0.0.4",
    "@vscode/vscode-languagedetection": "1.0.21",
    "@vscode/windows-process-tree": "^0.6.0",
    "@vscode/windows-registry": "^1.1.0",
    "@xterm/addon-clipboard": "^0.2.0-beta.48",
    "@xterm/addon-image": "^0.9.0-beta.65",
    "@xterm/addon-search": "^0.16.0-beta.65",
    "@xterm/addon-serialize": "^0.14.0-beta.65",
    "@xterm/addon-unicode11": "^0.9.0-beta.65",
    "@xterm/addon-webgl": "^0.19.0-beta.65",
    "@xterm/headless": "^5.6.0-beta.65",
    "@xterm/xterm": "^5.6.0-beta.65",
    "cookie": "^0.7.0",
    "http-proxy-agent": "^7.0.0",
    "https-proxy-agent": "^7.0.2",
    "jschardet": "3.1.4",
    "kerberos": "2.1.1",
    "minimist": "^1.2.6",
    "native-watchdog": "^1.4.1",
    "node-pty": "^1.1.0-beta22",
    "tas-client-umd": "0.2.0",
    "vscode-oniguruma": "1.7.0",
    "vscode-regexpp": "^3.1.0",
    "vscode-textmate": "9.1.0",
    "yauzl": "^3.0.0",
    "yazl": "^2.4.3"
  },
  "overrides": {
    "node-gyp-build": "4.8.1",
    "[email protected]": {
      "node-addon-api": "7.1.0"
    },
    "@parcel/[email protected]": {
      "node-addon-api": "7.1.0"
    }
  },
  "type": "module"
}
  1. Run a vulnerability scanner such as Anchore Grype and see this false positive:
Package                              Version_Installed         Vulnerability_ID     .Severity  Locations_RealPath
 code-server                          1.95.1                    GHSA-frjg-g767-7363  Critical   /usr/lib/code-server/lib/vscode/package.json

Expected

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "4.95.1",
[..]

Actual

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "1.95.1",
[..]

Logs

No response

Screenshot/Video

No response

Does this bug reproduce in native VS Code?

This cannot be tested in native VS Code

Does this bug reproduce in GitHub Codespaces?

Yes, this is also broken in GitHub Codespaces

Are you accessing code-server over a secure context?

  • [x] I am using a secure context.

Notes

No response

mirekphd avatar Nov 08 '24 12:11 mirekphd

Hmm this is maybe tricky. The version number is accurate because it is meant to be the version of VS Code, which is 1.95.1.

But maybe we should change the name to code-oss or something like that.

code-asher avatar Nov 08 '24 20:11 code-asher

But maybe we should change the name to code-oss or something like that.

There are two app names and two versions here, so the full info would be two key:value pairs... or at least a matching pair :) Now we have a key from one pair and a value from another...

mirekphd avatar Nov 09 '24 19:11 mirekphd

We have two package.json files, one in the root and one in lib/vscode, the root one is code-server and the lib/vscode one is code-oss, which I think makes sense because architecturally they are implemented as separate applications and are separate codebases.

code-asher avatar Nov 12 '24 18:11 code-asher

Any updates on this? What exactly would be the problem with changing the name in /usr/lib/code-server/lib/vscode/package.json from code-server to code-oss?

delsner avatar Apr 09 '25 12:04 delsner

No problems with that change as far as I know, it just has not been done yet. I am not sure where it actually gets set, so it is an open question whether there is a line we should change, or if we should just set it again after building.

code-asher avatar Apr 10 '25 18:04 code-asher

I also run into this same issue and it is blocking for production deployment. What I noticed is that when I follow the breadcrumbs I end up in the microsoft/vscode repository. The package.json there has the following lines:

{
 "name": "code-oss-dev",
 "version": "1.103.0",
 ...
}

and when I check in the coder repository it says:

{
 "name": "code-server",
 "version": "0.0.0",
 ...
}

This looks like a sort of merge between the files, where the name is taken from one package.json file and the version from the other. This ends up as being interpreted with the incorrect version.

Any idea when this will be picked up?

RubenAtBinx avatar Jul 25 '25 15:07 RubenAtBinx

Yeah somewhere along the line code-oss-dev becomes code-server but I am not sure where it happens. It is probably sufficient to just change it after we finish building as part of build-release.sh, although there may also be a variable to control the name, not sure.

I am not currently planning on picking this up, but happy to merge a PR if someone figures it out.

code-asher avatar Jul 29 '25 17:07 code-asher