external-auth-server
external-auth-server copied to clipboard
travisghansen
Image scan has detect several vulnerabilites
The trivy image scanner has detect several vulnerabilites:
`trivy image travisghansen/external-auth-server:v0.12.0 2022-02-21T12:54:15.701+0100 INFO Detected OS: debian 2022-02-21T12:54:15.701+0100 INFO Detecting Debian vulnerabilities... 2022-02-21T12:54:15.713+0100 INFO Number of language-specific files: 1 2022-02-21T12:54:15.713+0100 INFO Detecting node-pkg vulnerabilities...
travisghansen/external-auth-server:v0.12.0 (debian 11.2) Total: 92 (UNKNOWN: 0, LOW: 63, MEDIUM: 19, HIGH: 4, CRITICAL: 6)
Node.js (node-pkg) Total: 13 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 10, CRITICAL: 1) `
`trivy image travisghansen/external-auth-server:latest 2022-02-21T12:53:20.027+0100 INFO Detected OS: debian 2022-02-21T12:53:20.027+0100 INFO Detecting Debian vulnerabilities... 2022-02-21T12:53:20.036+0100 INFO Number of language-specific files: 1 2022-02-21T12:53:20.036+0100 INFO Detecting node-pkg vulnerabilities...
travisghansen/external-auth-server:latest (debian 10.11) Total: 126 (UNKNOWN: 0, LOW: 84, MEDIUM: 12, HIGH: 22, CRITICAL: 8)
Node.js (node-pkg) Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 16, CRITICAL: 1) ` eas_v0.12.0.txt eas_latest.txt
Could you fix the "CRITICAL" and "HIGH" please?
Can you test against v0.12.1 image? There is an npm package that results in a vulnerable package (that’s not utilized in code anywhere) that I cannot update atm because of some nodejs bugs. I’m trying to work with the devs to clean that up.
The os updates are hopefully fixed in the rebuilt image however.
Thank you! Great Work! The patched version has fixed some but not all vulnerabilities. So we have to wait for new debian version.
Do we know if fixes are actually upstream in debian yet generally? I’m basing my images on the official nodejs images which are based on the official debian images (I assume). In other words downstream quite a ways :(