CVE Detection on VSCode Extension

[raghur-orca]

IDs

CVE-2019-19919, CVE-2021-23369, CVE-2021-23383, CVE-2019-20920

Description

CVE detection on vscode extensions eventhough it is neither linked with the npm package nor contain any code from npm package.

While working on a project, i have used vscode extension (handlebars) on my IDE.

As Trivy considers and scans the package.json files with image OR rootfs mode, If we run Trivy on the vscode extension handlebars - we see CVEs associated to any vulnerable handlebars npm package (version < 4.3.0, say handlebars npm package 1.3.0) in the Trivy scan results due to the usage of name "handlebars" and version "1.0.0" in this vscode extension's package.json file.

{
  "name": "handlebars",
  "displayName": "%displayName%",
  "description": "%description%",
  "version": "1.0.0",
..
...

Every Visual Studio Code extension needs a manifest file package.json at the root of the extension directory structure. name and versions are the fields defined on the extension itself and not associated with any npm package directly.

Please correct me if am wrong here.
If this is indeed FP, then we need to have some mechanism to differentiate the npm package and the vscode extensions may by considering the fields in the vscode extension package.json:
a) publisher:
"publisher": "vscode",

b) engines

"engines": {
    "vscode": "0.10.x"
  },

c) repository:

 "repository": {
    "type": "git",
    "url": "https://github.com/microsoft/vscode.git"
  }

Reproduction Steps

1.Copy the package.json file associated with the vscode extension handlebars from the official repo -https://github.com/microsoft/vscode/blob/f1b07bd25dfad64b0167beb15359ae573aecd2cc/extensions/handlebars/package.json

2. Run Trivy in either rootfs or image mode on the copied package.json file.
# trivy rootfs ./ --debug

3. CVE results on the handlebars vscode extension highlighting the issues associated with handlebars npm package (version < 4.3.0)

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

# trivy rootfs ./ --debug
2024-02-13T10:33:46.431+0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-13T10:33:46.431+0530	DEBUG	Ignore statuses	{"statuses": null}
2024-02-13T10:33:46.442+0530	DEBUG	cache dir:  /Users/xyz/Library/Caches/trivy
2024-02-13T10:33:46.443+0530	DEBUG	DB update was skipped because the local DB was downloaded during the last hour
2024-02-13T10:33:46.443+0530	DEBUG	DB Schema: 2, UpdatedAt: 2024-02-12 18:12:50.404115521 +0000 UTC, NextUpdate: 2024-02-13 00:12:50.40411512 +0000 UTC, DownloadedAt: 2024-02-13 04:28:43.185013 +0000 UTC
2024-02-13T10:33:46.444+0530	INFO	Vulnerability scanning is enabled
2024-02-13T10:33:46.444+0530	DEBUG	Vulnerability type:  [os library]
2024-02-13T10:33:46.444+0530	INFO	Secret scanning is enabled
2024-02-13T10:33:46.444+0530	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-13T10:33:46.444+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-13T10:33:46.444+0530	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-13T10:33:46.444+0530	DEBUG	No secret config detected: trivy-secret.yaml
2024-02-13T10:33:46.444+0530	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-13T10:33:46.444+0530	DEBUG	Walk the file tree rooted at '.' in parallel
2024-02-13T10:33:46.456+0530	DEBUG	OS is not detected.
2024-02-13T10:33:46.456+0530	DEBUG	Detected OS: unknown
2024-02-13T10:33:46.456+0530	INFO	Number of language-specific files: 1
2024-02-13T10:33:46.456+0530	INFO	Detecting node-pkg vulnerabilities...
2024-02-13T10:33:46.456+0530	DEBUG	Detecting library vulnerabilities, type: node-pkg, path:
2024-02-13T10:33:46.468+0530	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)

Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 5, CRITICAL: 3)

┌───────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬──────────────────────┬─────────────────────────────────────────────────────────────┐
│          Library          │    Vulnerability    │ Severity │ Status │ Installed Version │    Fixed Version     │                            Title                            │
├───────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼──────────────────────┼─────────────────────────────────────────────────────────────┤
│ handlebars (package.json) │ CVE-2019-19919      │ CRITICAL │ fixed  │ 1.0.0             │ 4.3.0, 3.0.8         │ nodejs-handlebars: prototype pollution leading to remote    │
│                           │                     │          │        │                   │                      │ code execution via crafted payloads                         │
│                           │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-19919                  │
│                           ├─────────────────────┤          │        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ CVE-2021-23369      │          │        │                   │ 4.7.7                │ true option                                                 │
│                           │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2021-23369                  │
│                           ├─────────────────────┤          │        │                   │                      ├─────────────────────────────────────────────────────────────┤
│                           │ CVE-2021-23383      │          │        │                   │                      │ true option                                                 │
│                           │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2021-23383                  │
│                           ├─────────────────────┼──────────┤        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ CVE-2019-20920      │ HIGH     │        │                   │ 3.0.8, 4.5.3         │ nodejs-handlebars: lookup helper fails to properly validate │
│                           │                     │          │        │                   │                      │ templates allowing for arbitrary JavaScript...              │
│                           │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-20920                  │
│                           ├─────────────────────┤          │        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ GHSA-2cf5-4w76-r9qv │          │        │                   │ 3.0.8, 4.5.2         │ Arbitrary Code Execution in handlebars                      │
│                           │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-2cf5-4w76-r9qv           │
│                           ├─────────────────────┤          │        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ GHSA-g9r4-xpmj-mj65 │          │        │                   │ 3.0.8, 4.5.3         │ Prototype Pollution in handlebars                           │
│                           │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-g9r4-xpmj-mj65           │
│                           ├─────────────────────┤          │        │                   │                      ├─────────────────────────────────────────────────────────────┤
│                           │ GHSA-q2c6-c6pm-g3gh │          │        │                   │                      │ Arbitrary Code Execution in handlebars                      │
│                           │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-q2c6-c6pm-g3gh           │
│                           ├─────────────────────┤          │        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ GHSA-q42p-pg8m-cqh6 │          │        │                   │ 4.1.2, 4.0.14, 3.0.7 │ Prototype Pollution in handlebars                           │
│                           │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-q42p-pg8m-cqh6           │
│                           ├─────────────────────┼──────────┤        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ CVE-2015-8861       │ MEDIUM   │        │                   │ >=4.0.0              │ The handlebars package before 4.0.0 for Node.js allows      │
│                           │                     │          │        │                   │                      │ remote attacker ...                                         │
│                           │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2015-8861                   │
│                           ├─────────────────────┤          │        │                   ├──────────────────────┼─────────────────────────────────────────────────────────────┤
│                           │ NSWG-ECO-519        │          │        │                   │ >=4.6.0              │ Denial of Service                                           │
│                           │                     │          │        │                   │                      │ https://hackerone.com/reports/726364                        │
└───────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────┴─────────────────────────────────────────────────────────────┘

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-12 18:12:50.404115521 +0000 UTC
  NextUpdate: 2024-02-13 00:12:50.40411512 +0000 UTC
  DownloadedAt: 2024-02-13 04:28:43.185013 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-31 00:45:18.677215008 +0000 UTC
  NextUpdate: 2024-02-03 00:45:18.677214887 +0000 UTC
  DownloadedAt: 2024-01-31 08:58:07.817972 +0000 UTC
Policy Bundle:
  Digest: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
  DownloadedAt: 2023-12-19 10:13:14.256458 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @raghur-orca
Thanks for your interest to Trivy!

We check dependency files to detect installed dependencies, but we don't check/compare code of these dependencies/packages.

If this is indeed FP, then we need to have some mechanism to differentiate the npm package and the vscode extensions may by considering the fields in the vscode extension package.json:

Looks like there are some vscode npm packages (e.g. https://www.npmjs.com/package/vscode-uri).
I am worried that we can miss there packages if we add your solution.

In this case false positive is better (you can just filter or skip these files.

[raghur-orca]

Thank you for the update, @DmitriyLewen .
Any other possibilities to differentiate the two ? or thoughts on adding a change to identify the vscode extensions in the future to avoid such FPs?

[DmitriyLewen]

Unfortunately, I only see indirect solutions to avoid this case.

Up to this point I haven't seen any other false positive issues for VScode.
Let's wait for feedback from other users.
If users are interested in fixing this problem, we will return to this matter.

[raghur-orca]

Sure!.

[mjschmidt]

Definitely interested as we have a large compliance department that keeps asking us about this. It there something the code-server / vs-code team could do to address the issue on their end?

[DmitriyLewen]

Hello @mjschmidt
i checked package.json files from vs-code extensions.
I wanted to read more about publisher field, but I was surprised that npm doesn't say about this field - https://docs.npmjs.com/cli/v8/configuring-npm/package-json

Is this special custom field only for vs-code extensions?
If so - and this field always uses the same name - we can work with it.
I'm not sure if omitting these files is a good idea, but we can start by marking the dependencies on these packages as Dev and not showing them by default. (we use similar logic for maven-invoker-plugin - https://aquasecurity.github.io/trivy/v0.50/docs/coverage/language/java/#maven-invoker-plugin).

[jdbaudean]

I'm interested in a fix for this as well

[itaysk]

just to confirm, is this limited to vscode extensions or applies to any node package? I mean, if I'm scanning my code repo which has a package.json and my package is called "handlebars", I should expect to see vulnerabilities in the handlebars package in npm?

[DmitriyLewen]

IIUC This is only related to vs-code extensions. vs-code contains package.json file that is not associated with npm package of the same name and does not use code from that npm package.

I should expect to see vulnerabilities in the handlebars package in npm?

if you scan npm project - you should see vulnerabilities for this package.