0

Trivy scanner is unable to take the updated version(7.5.2) and still throws error in the build(showing installed version as 7.5.1).

(alpine 3.17.4)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Node.js (node-pkg)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ │ semver (package.json) │ CVE-2022-25883 │ MEDIUM │ 7.5.1 │ 7.5.2 │ semver vulnerable to Regular Expression Denial of Service │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │ └───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Made following changes to override the semver version to bypass the Trivy scanner to accept a fixed version (7.5.2).

Changes were done in package.json

"overrides": { "semver": "^7.5.2" },

and

"resolutions": { "semver": "^7.5.2" },

When I tried to run ‘npm i’ in my local environment and searched for all occurrences of semver in package-lock.json ; Under the packages, "semver": "^7.5.2" version got updated.

Arjun M
  • 1
  • I believe that you should explicitly list `semver` inside your `devDependencies` in `package.json` and also try `npm list` so see which package(s) is using the outdated `semver` – IVO GELOV Jul 06 '23 at 09:27

0 Answers0