Closed
Description
In starting to implement safe-settings, I was running the generated docker container through several security scanners, to reduce the image's vulnerabilities. In doing so, I saw a report that the safe-settings npm package had a Critical severity issue.
I'm curious if anyone knows any details on the issue outlined here: https://osv.dev/vulnerability/MAL-2025-2048
It looks like it's saying the safe-settings node code contains malicious code and should be avoided. Is there actually malicious code, or is it just a heuristic false positive because this tool can manage and manipulate Github objects?
I built the docker container per the documentation here: https://github.com/github/safe-settings/blob/main-enterprise/docs/deploy.md
docker build -t safe-settings .
[+] Building 17.8s (11/11) FINISHED docker:desktop-linux
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 790B 0.0s
=> [internal] load metadata for docker.io/library/node:20-alpine 1.2s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 381B 0.0s
=> [1/6] FROM docker.io/library/node:20-alpine@sha256:be56e91681a8ec1bba91e3006039bd228dc797fd984794a3efedab325b36e679 7.8s
=> => resolve docker.io/library/node:20-alpine@sha256:be56e91681a8ec1bba91e3006039bd228dc797fd984794a3efedab325b36e679 0.0s
=> => sha256:5dcbd7aabb6446c948be207289c771661cefa5c53687ca5f5e44c8b215aea633 443B / 443B 0.1s
=> => sha256:0e0eedb34394bfc5bab7ed39319f3112d3830f86d8fcd5473ddccb4c5a851473 42.63MB / 42.63MB 7.3s
=> => sha256:a821a4b963d7d1b599a8c2aeccea70964fecabdb4709cf995233c5e6e8a93d5c 1.26MB / 1.26MB 1.1s
=> => extracting sha256:0e0eedb34394bfc5bab7ed39319f3112d3830f86d8fcd5473ddccb4c5a851473 0.4s
=> => extracting sha256:a821a4b963d7d1b599a8c2aeccea70964fecabdb4709cf995233c5e6e8a93d5c 0.0s
=> => extracting sha256:5dcbd7aabb6446c948be207289c771661cefa5c53687ca5f5e44c8b215aea633 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 684.37kB 0.0s
=> [2/6] WORKDIR /opt/safe-settings 0.1s
=> [3/6] COPY package*.json /opt/safe-settings/ 0.0s
=> [4/6] COPY index.js /opt/safe-settings/ 0.0s
=> [5/6] COPY lib /opt/safe-settings/lib 0.0s
=> [6/6] RUN npm ci 5.7s
=> exporting to image 2.8s
=> => exporting layers 2.0s
=> => exporting manifest sha256:1e51935dec40ed9b53e36d59f029634b35ba5644edce2ca3f2da7b67f7bcee4a 0.0s
=> => exporting config sha256:43dde48207e7d013bb08c51d0c9d9f2599d500f7c19893edec56219665f48bd1 0.0s
=> => exporting attestation manifest sha256:71583b8dd802e5254f43faeaa55111a8b9b3e6fa68f830f3786ec7a69ea1485c 0.0s
=> => exporting manifest list sha256:177cf72eed78ea39bd147ff46aee3b241985d5e5198f739bc19ddc307ab07fe9 0.0s
=> => naming to docker.io/library/safe-settings:latest 0.0s
=> => unpacking to docker.io/library/safe-settings:latest 0.8s
2 warnings found (use docker --debug to expand):
- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 3)
- JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 25)
View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/61btqcu1my1fznpukt47lbvdj
Then running it through the grype scanner gave me this:
grype sha256:177cf72eed78ea39bd147ff46aee3b241985d5e5198f739bc19ddc307ab07fe9
✔ Loaded image sha256:177cf72eed78ea39bd147ff46aee3b241985d5e5198f739bc19ddc307ab07fe9
✔ Parsed image sha256:43dde48207e7d013bb08c51d0c9d9f2599d500f7c19893edec56219665f48bd1
✔ Cataloged contents 392fe3b705f895984b9977c1fc164718e96c17ee7e9c122e9dc9a9e78c8cb8d3
├── ✔ Packages [609 packages]
├── ✔ Executables [20 executables]
├── ✔ File metadata [676 locations]
└── ✔ File digests [676 files]
✔ Scanned for vulnerabilities [8 vulnerability matches]
├── by severity: 1 critical, 1 high, 0 medium, 6 low, 0 negligible
└── by status: 1 fixed, 7 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
cross-spawn 7.0.3 7.0.5 npm GHSA-3xgq-45jj-v275 High 30.22 < 0.1
busybox 1.37.0-r12 apk CVE-2025-46394 Low 2.23 < 0.1
busybox-binsh 1.37.0-r12 apk CVE-2025-46394 Low 2.23 < 0.1
ssl_client 1.37.0-r12 apk CVE-2025-46394 Low 2.23 < 0.1
busybox 1.37.0-r12 apk CVE-2024-58251 Low 3.11 < 0.1
busybox-binsh 1.37.0-r12 apk CVE-2024-58251 Low 3.11 < 0.1
ssl_client 1.37.0-r12 apk CVE-2024-58251 Low 3.11 < 0.1
safe-settings 0.1.0-rc.26 npm GHSA-jf49-vxrf-95m2 Critical N/A N/A
Notice the last line, referring to GHSA-jf49-vxrf-95m2
Metadata
Metadata
Assignees
Labels
No labels