New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy security scan detects a CRITICAL vulnerability in latest Docker image. #7445
Comments
Hi @tunguyen9889, Thanks for reporting this. Can I ask you to follow our security policy guidelines next time you report similar issues? Thanks! We'll update |
Hi @char0n, Thanks for your quick response! And sorry for missing the guideline for security report. I will take note and follow the process next time. Anyway, you might need to make sure this step https://github.com/swagger-api/swagger-ui/blob/master/Dockerfile#L7 will install latest Best, |
Yep, already tested, and after next release this will be autofixed.
So we should be fine just by releasing the new versions this week. |
Damn, $ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v3.52.0 Node |
Yea, we had to force update nodejs in our custom image to avoid it
I think we can enforce the version like this https://superuser.com/a/1058665
|
So the Dockerfile commands will be:
right? |
The Dockerfile command will be:
|
Thanks! Will try this in next release. |
Original error reported in this issue is gone in swagger-ui@4.0.0-rc.0 the same applies for swagger-ui@3.52.1 (that is just being released). But we have additional Unfortunately the command |
We had a hack in our internal image to force upgrade all packages to latest version using this command:
|
Did a following change to our
Released this change as Running
gives me following output So we're looking fine. I'll do the same changes in v3 release, and we'll be finally able to close this issue. |
Results for v3: $ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-ui:v3.52.2 Closing the issue as it has been resolved for now. @tunguyen9889 thanks for collaboration on this! |
SwaggerEditor@4.x is now green as well: $ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-editor:v4.0.0-rc.0 |
Swagger Editor@3.x is now green as well: $ docker run --rm aquasec/trivy:latest --exit-code 0 --severity HIGH,CRITICAL swaggerapi/swagger-editor:v3.18.2 |
Thanks @char0n for the fixes! |
Q&A (please complete the following information)
swaggerapi/swagger-ui:latest
,swaggerapi/swagger-ui:v3.51.2
,swaggerapi/swagger-ui:v4.0.0-beta.2
Content & configuration
Describe the bug you're encountering
The security vulnerability about nodejs has been reported in:
Alpine and nodejs has released a bug fix at 2021-07-29 with version
14.17.4-r0
:To reproduce...
Steps to reproduce the behavior: Run Trivy scan as below:
You will see the result like this:
Expected behavior
Trivy security scan should not print out any HIGH or CRITICAL vulnerabilities.
The text was updated successfully, but these errors were encountered: