FHIR-Converter icon indicating copy to clipboard operation
FHIR-Converter copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Update Node.js Version in Docker Base Image to v17+

Open bjeromeHCS opened this issue 2 years ago • 4 comments

Snyk is reporting 3 High vulnerabilities (no known exploits) with the base image node:14-slim and suggests updating to node:17.8-bullseye-slim to cut back on most reported flaws. Screen Shot 2022-04-05 at 2 13 24 PM

While it doesn't resolve all the vulnerabilities, updating to node 17 would remediate the most. I have tried to swap the version on a forked version but it doesn't work as intended. I'm hoping someone here could update and cut a new release that I could then reference :)

Here's more info on the 3 Highs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032 Introduced through: node@14-slim › zlib/zlib1g@1:1.2.8.dfsg-5

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12886 Introduced through: node@14-slim › gcc-6/[email protected]+deb9u1 Fix: No remediation path available. Introduced through: node@14-slim › gcc-6/libgcc1@1:6.3.0-18+deb9u1 Fix: No remediation path available. Introduced through: node@14-slim › gcc-6/[email protected]+deb9u1 Fix: No remediation path available.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1712 ntroduced through: node@14-slim › systemd/libudev1@232-25+deb9u13 Fix: No remediation path available. Introduced through: node@14-slim › systemd/libsystemd0@232-25+deb9u13 Fix: No remediation path available.

bjeromeHCS avatar Apr 05 '22 18:04 bjeromeHCS

@ACMoretxj Any action items on this?

bjeromeHCS avatar May 04 '22 17:05 bjeromeHCS

Thank you @bjeromeHCS for your investigation about this. As you said, the latest version of Node still fails to solve all the alerts, moreover, we currently are working on other higher priority items.

P.S. Sorry for late reply.

ACMoretxj avatar May 14 '22 01:05 ACMoretxj

@ACMoretxj can this issue be closed with appropriate label? thank you

irenepjoseph avatar Oct 05 '22 18:10 irenepjoseph

Thank you @bjeromeHCS for your investigation about this. As you said, the latest version of Node still fails to solve all the alerts, moreover, we currently are working on other higher priority items.

P.S. Sorry for late reply.

@ACMoretxj can this issue be closed with appropriate label? thank you

There's always going to be alerts at some degree, but upgrading to the latest version is still worth it from a security standpoint. @irenepjoseph @ACMoretxj Is this going to be re-prioritized?

bjeromeHCS avatar Oct 06 '22 12:10 bjeromeHCS