0

I'm using Code-Server to create a container image based on Code-Server and other tools. When I use grype scanner, I'm getting a lot of False Positive vulnerabilities related to the extensions folder. These are some of them:

False positive CVE image

I'm wondering if there is a consequence if I decide to remove some of those extensions folder that I don't use, for example perl, ruby, etc.

Thanks !!

rioV8
  • 24,506
  • 3
  • 32
  • 49
Andrés M. Gómez
  • 1
  • 1
  • How do you know they're false positives? – Alejandro May 26 '22 at 15:57
  • Hello Alejandro, Grype is taking the version of the npm package module and the name of the npm module for each extension and it is looking for vulnerabilities related to that version and name. For example, there is an extension called perl, but I don't have perl tool on my image, but grype is reporting the CVE-2002-1119 for perl/1.0.0 located at /opt/code-server/lib/vscode/extensions/perl/package.json – Andrés M. Gómez May 27 '22 at 16:51

0 Answers0