Critical vulnerabilities reported for cypress/factory

[sergiubologa]

Hello,

I'm using the latest cypress/factory:4.0.2 image to run our tests in CI/CD pipelines. When building our image we are also scanning it for known security vulnerabilities with wiz.

I am using the following Node, Chrome and Cypress versions:

ARG NODE_VERSION='20.14.0'
ARG CHROME_VERSION='126.0.6478.55-1'
ARG CYPRESS_VERSION='13.11.0'

It finds a lot of outdated versions and security issues:

Evaluated policies: Default secrets policy, Default sensitive data policy, Default vulnerabilities policy
Failed policy: Default vulnerabilities policy
Vulnerable packages: CRITICAL: 6, HIGH: 29, MEDIUM: 64, LOW: 41, INFORMATIONAL: 0
    Total: 140
Vulnerabilities: CRITICAL: 6, HIGH: 35, MEDIUM: 149, LOW: 176, INFORMATIONAL: 7
    Total: 373, out of which 45 are fixable
Directories scanned: 25829, Files scanned: 210985
Scan results: FAILED. Container image does not meet policy requirements

Here's a text file with all the scan results:
scan-cypress.txt

[MikeMcC399]

@sergiubologa

• This seems to be very similar to the issue Security scan of cypress/included:latest have significant vulnerability findings #1114

Cypress Docker images cannot fix vulnerabilities which have not been fixed upstream.

• Debian was discussed in Security scan of cypress/included:latest have significant vulnerability findings #1114 and there are no unused fixes for Debian vulnerabilities available.
• Cypress was also discussed in Security scan of cypress/included:latest have significant vulnerability findings #1114
• Node.js 20.14.0 vulnerabilities need to be fixed by https://github.com/nodejs/node
  Node.js 20.14.0 is the official current LTS version. See Node.js Release schedule and Node.js releases

[sergiubologa]

Right, but Cypress uses some node modules that have Critical issues:

Name: underscore, Version: 1.6.0, Path: /root/.cache/Cypress/13.11.0/Cypress/resources/app/node_modules/underscore/package.json
            Failed policy: Default vulnerabilities policy
            CVE-2021-23358, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
                CVSS score: 7.2, CVSS exploitability score: 1.2
                Fixed version: 1.12.1

Name: loader-utils, Version: 1.4.0, Path: /root/.cache/Cypress/13.11.0/Cypress/resources/app/node_modules/loader-utils/package.json
            Failed policy: Default vulnerabilities policy
            CVE-2022-37601, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-76p3-8jx3-jpfq
                CVSS score: 9.8, CVSS exploitability score: 3.9
                Fixed version: 1.4.1
                Has public exploit
            CVE-2022-37599, Severity: HIGH, Source: https://github.com/advisories/GHSA-hhq3-ff78-jv3g
                CVSS score: 7.5, CVSS exploitability score: 3.9
                Fixed version: 1.4.2
            CVE-2022-37603, Severity: HIGH, Source: https://github.com/advisories/GHSA-3rfm-jhwj-7488
                CVSS score: 7.5, CVSS exploitability score: 3.9
                Fixed version: 1.4.2
                Has public exploit

Name: flat, Version: 4.1.1, Path: /root/.cache/Cypress/13.11.0/Cypress/resources/app/node_modules/flat/package.json
            Failed policy: Default vulnerabilities policy
            CVE-2020-36632, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
                CVSS score: 9.8, CVSS exploitability score: 3.9
                Fixed version: 5.0.1

[MikeMcC399]

@sergiubologa

I can only give the same comment that I gave in the other issue:

These are not vulnerabilities which can be fixed directly by cypress/included Docker images. Any fixes would need to come from the upstream repo https://github.com/cypress-io/cypress. The Cypress binary is installed as-provided and it is not manipulated by the Cypress Docker image process.

[sergiubologa]

Thank you

[MikeMcC399]

There are separate issues for each of the vulnerabilities you mention:

• CVE-2021-23358 found on trivy scan cypress version is 13.3.3 cypress#28207
• CVE-2022-37601 found on trivy scan cypress version is 13.3.3 cypress#28208
• CVE-2022-37599 found on trivy scan cypress version 13.3.3 cypress#28196
• CVE-2022-37603 found on trivy scan on cypesss 13.3.3  cypress#28193
• CVE-2020-36632 reported in Trivy scan of cypress version 13.1 and earlier cypress#27763

I'm going to close this issue now as the follow-up needs to be done through https://github.com/cypress-io/cypress. As soon as any new Cypress version is released, a new cypress/included Cypress Docker image version is also released. So if there are vulnerability fixes they are dealt with as best and as fast as possible.

[MikeMcC399]

@sergiubologa

I have linked the existing reports back to this issue. You can subscribe to the issues if you want to follow their resolution.