Closed
Description
Q&A (please complete the following information)
- OS: Docker image
- Version:
swaggerapi/swagger-ui:latest,swaggerapi/swagger-ui:v3.51.2,swaggerapi/swagger-ui:v4.0.0-beta.2
Content & configuration
Describe the bug you're encountering
The security vulnerability about nodejs has been reported in:
Alpine and nodejs has released a bug fix at 2021-07-29 with version 14.17.4-r0:
- https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.17.4
- https://git.alpinelinux.org/aports/commit/?id=b3808eb39db3ee62c67e75b5df2acfd778ec8d4c
To reproduce...
Steps to reproduce the behavior: Run Trivy scan as below:
➜ ~ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v3.51.2
You will see the result like this:
2021-08-02T07:56:35.496Z INFO Need to update DB
2021-08-02T07:56:35.496Z INFO Downloading DB...
2.95 MiB / 22.71 MiB [-------->_____________________________________________________] 12.99% ? p/s ?7.59 MiB / 22.71 MiB [-------------------->_________________________________________] 33.40% ? p/s ?11.92 MiB / 22.71 MiB [-------------------------------->____________________________] 52.50% ? p/s ?17.12 MiB / 22.71 MiB [------------------------------------>___________] 75.37% 23.61 MiB p/s ETA 0s22.71 MiB / 22.71 MiB [---------------------------------------------------] 100.00% 30.19 MiB p/s 1s2021-08-02T07:56:42.227Z INFO Detected OS: alpine
2021-08-02T07:56:42.227Z INFO Detecting Alpine vulnerabilities...
2021-08-02T07:56:42.228Z INFO Number of language-specific files: 0
swaggerapi/swagger-ui:v3.51.2 (alpine 3.13.5)
=============================================
Total: 6 (HIGH: 5, CRITICAL: 1)
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| curl | CVE-2021-22901 | HIGH | 7.76.1-r0 | 7.77.0-r0 | curl: Use-after-free in |
| | | | | | TLS session handling when |
| | | | | | using OpenSSL TLS backend |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 |
+-----------+ + + + + +
| libcurl | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+-----------+------------------+ +-------------------+---------------+---------------------------------------+
| libgcrypt | CVE-2021-33560 | | 1.8.7-r0 | 1.8.8-r0 | libgcrypt: mishandles ElGamal |
| | | | | | encryption because it lacks |
| | | | | | exponent blinding to address a... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 |
+-----------+------------------+ +-------------------+---------------+---------------------------------------+
| libxml2 | CVE-2021-3517 | | 2.9.10-r6 | 2.9.10-r7 | libxml2: Heap-based buffer overflow |
| | | | | | in xmlEncodeEntitiesInternal() |
| | | | | | in entities.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3517 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-3518 | | | | libxml2: Use-after-free in |
| | | | | | xmlXIncludeDoProcess() in xinclude.c |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-3518 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
| nodejs | CVE-2021-22930 | CRITICAL | 14.16.1-r1 | 14.17.4-r0 | nodejs: use-after-free on |
| | | | | | close http2 on stream canceling |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22930 |
+-----------+------------------+----------+-------------------+---------------+---------------------------------------+
Expected behavior
Trivy security scan should not print out any HIGH or CRITICAL vulnerabilities.