Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node.js package-lock.json : library: lodash v4.17.19, HIGH severity vulnerability id: NSWG-ECO-516 , title : Allocation of Resources Without Limits or Throttling #588

Closed
rickymcgeehan opened this issue Aug 4, 2020 · 2 comments
Closed

Node.js package-lock.json : library: lodash v4.17.19, HIGH severity vulnerability id: NSWG-ECO-516 , title : Allocation of Resources Without Limits or Throttling #588

rickymcgeehan opened this issue Aug 4, 2020 · 2 comments
Labels
kind/security-advisory Categorizes issue or PR as related to security advisories.

Comments

@rickymcgeehan
Copy link

Description

Trivy is reporting a HIGH severity vulnerability in the Lodash library v4.17.19 (NSWG-ECO-516: Allocation of Resources Without Limits or Throttling). From what I gather, the problem stemmed from the zipObjectDeep function within Lodash and has now been fixed in v4.17.19. However, Trivy is still reporting it as a HIGH severity vulnerability.

Lodash PR: lodash/lodash#4759
Npm advisory: https://www.npmjs.com/advisories/1523

Please could you let me know if vulnerability is fixed and if so when the Trivy db will be updated?

What did you expect to happen?
Vulnerability NSWG-ECO-516 to not be flagged for Lodash v4.17.19.

What happened instead?
Vulnerability NSWG-ECO-516 is flagged as HIGH severity for Lodash v4.17.19.

Output of run with -debug:

2020-08-04T15:39:34.772+0100	INFO	Need to update DB
2020-08-04T15:39:34.772+0100	INFO	Downloading DB...
17.72 MiB / 17.72 MiB [------------------------------------------------------------------------------------------] 100.00% 3.13 MiB p/s 6s
2020-08-04T15:39:41.571+0100	WARN	OS is not detected and vulnerabilities in OS packages are not detected.
2020-08-04T15:39:41.571+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.576+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.584+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.591+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.592+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.592+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.592+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.593+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.593+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.594+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.601+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.601+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.602+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.603+0100	INFO	Detecting npm vulnerabilities...
2020-08-04T15:39:41.603+0100	INFO	Detecting npm vulnerabilities...

client/host/package-lock.json
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


client/package-lock.json
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| lodash  | NSWG-ECO-516     | HIGH     | 4.17.19           |               | Allocation of Resources        |
|         |                  |          |                   |               | Without Limits or Throttling   |
+---------+------------------+----------+-------------------+---------------+--------------------------------+

Output of trivy -v:

Version: 0.9.2
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2020-08-04 12:13:02.259294926 +0000 UTC
  NextUpdate: 2020-08-05 00:13:02.259294526 +0000 UTC

Additional details (base image name, container registry info...):
@rickymcgeehan rickymcgeehan added the kind/bug Categorizes issue or PR as related to a bug. label Aug 4, 2020
@knqyf263 knqyf263 added the co/npm label Aug 5, 2020
@knqyf263
Copy link
Collaborator

knqyf263 commented Aug 5, 2020

Trivy DB depends on nodejs/security-wg as for nodejs, but it looks like the vulnerability information hasn't been updated yet. Would you send PR or raise the issue in this repository?
https://github.com/nodejs/security-wg/blob/master/vuln/npm/516.json#L16

@knqyf263
Copy link
Collaborator

It seems to be fixed

@knqyf263 knqyf263 added kind/security-advisory Categorizes issue or PR as related to security advisories. and removed kind/bug Categorizes issue or PR as related to a bug. labels Sep 2, 2021
josedonizetti pushed a commit to josedonizetti/trivy that referenced this issue Jun 24, 2022
@liamg
feat: Add syntax highlighting for everything (aquasecurity#588)
0bcd3ec
@4k4xs4pH1r3 4k4xs4pH1r3 mentioned this issue Apr 8, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/security-advisory Categorizes issue or PR as related to security advisories.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knqyf263 @rickymcgeehan