Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy failing because of a couple of vulnerabilities #25

Open
giovannirco opened this issue May 26, 2021 · 0 comments
Open

Trivy failing because of a couple of vulnerabilities #25

giovannirco opened this issue May 26, 2021 · 0 comments

Comments

@giovannirco
Copy link

I run trivy on each docker build and I got an alert when building latest commit 8c1f0ce544c3fedb6ecf76451cab3d515b4ef4ee

The vulnerability IDs are CVE-2021-31597 and CVE-2020-28502. The offending package is xmlhttprequest-ssl located at theta-infrastructure-ledger-explorer/package-lock.json

Here is the log trivy gives:

+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|      LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmlhttprequest-ssl | CVE-2020-28502   | HIGH     | 1.5.3             | 1.6.2         | nodejs-xmlhttprequest: Code injection |
|                    |                  |          |                   |               | through user input to xhr.send        |
|                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28502 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+

+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|      LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| xmlhttprequest-ssl | CVE-2021-31597   | CRITICAL | 1.5.3             | 1.6.1         | xmlhttprequest-ssl: SSL certificate   |
|                    |                  |          |                   |               | validation disabled by default        |
|                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-31597 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@giovannirco and others