New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy detecting vulnerabilities in yarn devDependencies #90
Comments
@pnu-s still happening the issue? |
@krol3 I've also experienced this issue. I first noticed a large difference between yarn dependency vulnerabilities reported by Snyk and Trivy, and determined this to be the cause. Snyk solves the issue by scanning package.json as well, and has a --dev flag, off by default to control this behavior. See here: https://support.snyk.io/hc/en-us/articles/360004712477-Snyk-for-JavaScript Including a similar feature in Trivy would add significant value to node.js reports imo. |
Looking at the docs, it looks like this is intended behaviour: https://aquasecurity.github.io/trivy/dev/vulnerability/detection/language/. They explicitly state that devDependencies are included in vulnerability scans for |
As far as I know, |
I really dont think this is true. If we humans can know it why can trivy not ? You would simply have to check all dependencies in yarn.lock file and see why they are there (eg referenced by other packages, etc) - so a dependency is either there because you referenced it directly in devDependencies or dependencies or because its a dependency of the former. I think this is just a bit of tree traversion to find out if its a dev or not ... EDIT: I should have read this more closely. You said that its possible when information additionaly is pulled from package.json. |
I am not an expert Node, but maybe this repository help to understand more about devDependencies. |
A workaround for this that I've used is to run
since this can prune the yarn.lock Somewhat awkward in situations where you don't really want to touch the yarn.lock file (e.g. in a build pipeline), but helps if you don't want to get overwhelmed by development vulnerabilities. Anyone that understands yarn well could correct me here if I'm wrong but one could do something like:
The first one will do your normal check to see if nothing happens to your lockfile while the second one can prune development dependencies. Like I said, someone that understands yarn better - feel free to tell why this is a bad idea! :) |
Its a bad idea as you don't want to have to modify yarn.lock to remove devDependencies. You need to keep those in the lock file for development usage of the code. |
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
refactor google db instance struct
Hello there!
Trivy seems to detect vulnerabilities in yarn dependencies which are only in devDependencies, although running a
yarn audit
will exclude them by default and only check in dependencies.Posting https://yarnpkg.com/en/docs/dependency-types for reference.
I'm wondering whether this is expected.
Thanks for your great tool and I'm available to discuss this in more details.
The text was updated successfully, but these errors were encountered: