Replies: 1 comment
-
|
Follow-up after reviewing the That flag does not currently extract a Node.js runtime version or add Node.js core advisories. Its relevant behavior is to retain language/application findings from files owned by an OS package manager; default The proposed changes would fit that existing model:
So |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Problem
Trivy does not currently identify the Node.js runtime version in container images when Node.js was installed outside an OS package manager. This includes the official
nodeimages:The analyzers under
pkg/fanal/analyzer/language/nodejsparsepackage.jsonand lockfiles, so they report npm ecosystem package versions—not the Node.js runtime version.apk,dpkg, andrpmmetadata only covers distribution-packaged Node.js. The executable analyzer hashes an unpackagednodebinary but does not extract its version.As a result, Trivy cannot match manually installed Node.js runtimes against Node.js core CVEs.
A related broader report exists in #9759, but its Node.js example concerns an npm dependency (
minimist) rather than Node.js core/runtime advisories.Proposed behavior
include/node/node_version.husing:NODE_MAJOR_VERSIONNODE_MINOR_VERSIONNODE_PATCH_VERSIONnode@<version>.nodejs/security-wg/vuln/core/*.jsonand match theirvulnerable/patchedsemver ranges.The Node.js Security Working Group currently contains 183 core advisories.
trivy-dbalready walks this source, but has intentionally skipped entries withoutmodule_namesince the initial importer implementation in 2019. The existing test explicitly described this asnode.js core is skipped.Questions for maintainers
nodein the existing npm bucket and npm semver comparer, or should it have a dedicated Node.js runtime ecosystem?NODE_VERSIONfrom image ENV be a fallback when the installed header is absent? The header is proposed as authoritative because image metadata can become stale.Prototype PRs
These are draft implementations intended to make the proposal concrete and can be changed based on maintainer direction:
Target
Container Image
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions