Hi Team,
When we are building the application package using the meteor and scanning the same with trivy we are getting the vulnerabilities with the same. we have tried specifying the package in version file as well but no help.
vulnerability was found in module extend <2.0.2, ~<3.0.2
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in
there are multiple vulnerabilities for other packages as well. please help in the same context.
Thanks,
Gaurav
Hi @gauravchauhan, I’m not sure if I fully understood your issue.
It seems that you have vulnerabilities with some of the packages you are using, right? One of them is the cryptiles package. From what I could see, this is a package from HapiJS and they have fixed this issue already in version 4.1.2.
So, what you need to do is to update the package and do the same for every package you have
vulnerabilities. How did you try to update it? Can you share how is it in your package.json file?
If I misunderstood, please clarify a little more so we can try to help you.
@fredmaiaarantes thanks for the reply.
I have already updated the mentioned versions to fix the vulnerability. but somehow it’s getting the old version and while performing the trivy scan it shows the vulnerability with old version.
here is the package.json which is being used.
{
"name": "app",
"private": true,
"scripts": {
"start": "meteor run"
},
"dependencies": {
"@babel/runtime": "^7.17.2",
"@contentful/rich-text-html-renderer": "^15.11.1",
"@contentful/rich-text-types": "^15.1.0",
"ansi-regex": "^6.0.1",
"assert": "^2.0.0",
"bcrypt": "^5.0.1",
"bowser": "^1.9.4",
"contentful": "^8.5.8",
"extend": "^3.0.2",
"fs": "0.0.1-security",
"http": "0.0.1-security",
"https": "^1.0.0",
"jquery": "^3.6.0",
"loadsh": "0.0.4",
"meteor-node-stubs": "^1.1.0",
"moment": "^2.29.1",
"moment-range": "^3.1.1",
"moment-ranges": "^0.8.12",
"moment-timezone": "^0.5.34",
"net": "^1.0.2",
"node-gyp": "^8.4.1",
"os": "^0.1.2",
"range_check": "^2.0.4",
"request": "^2.83.0",
"stream": "0.0.2",
"toastr": "^2.1.4",
"tty": "^1.0.1",
"url": "^0.11.0",
"util": "^0.12.4",
"xml2json": "^0.12.0",
"zlib": "^1.0.5"
}
}
Although some packages are getting updated, but when I specifically mention the packages in package.json those are getting removed.
blaze upgraded from 2.3.4 to 2.5.0
blaze-tools upgraded from 1.0.10 to 1.1.0
caching-html-compiler upgraded from 1.1.3 to 1.2.0
cryptiles removed from your project
ddp-server upgraded from 2.3.2 to 2.5.0
extend removed from your project
html-tools upgraded from 1.0.11 to 1.1.0
htmljs upgraded from 1.0.11 to 1.1.0
json-schema removed from your project
jsonpointer removed from your project
less upgraded from 3.0.1 to 3.0.2
loadsh removed from your project
lodash.template removed from your project
meteor-base upgraded from 1.4.0 to 1.5.1
npm-bcrypt removed from your project
react-fast-refresh added, version 0.2.2
spacebars upgraded from 1.0.15 to 1.2.0
spacebars-compiler upgraded from 1.1.3 to 1.2.0
srp removed from your project
templating upgraded from 1.3.2 to 1.4.1
templating-compiler upgraded from 1.3.3 to 1.4.1
templating-runtime upgraded from 1.3.2 to 1.5.0
templating-tools upgraded from 1.1.2 to 1.2.0
url added, version 1.3.2
Few examples of used vulnerabilities.
extend | CVE-2018-16492 | MEDIUM | 3.0.0 | 2.0.2, 3.0.2
glob-parent | CVE-2020-28469 | HIGH | 2.0.0 | 5.1.2
lodash | CVE-2019-10744 | CRITICAL | 1.0.2 | 4.17.12
Before starting the build as well I am installing the latest packages
meteor npm install --save range_check ansi-regex node-gyp extend@3.0.2 assert meteor-node-stubs fs http https net os stream tty url util zlib moment-ranges bowser moment-range loadsh
But that is of no help, not sure from where I am getting these old package versions as well. what I suspect is the old version (14.18.3) of nodejs being used in meteor by default.
I don’t think this is related to Node.js. These packages are probably cached, you need to make sure they are not there, if this is locally you could remove your node_modules and run a meteor reset (this command remove also your local mongo database).
I have tried the meteor reset as well and checked again. still the same.
Maybe They are cached in ~/.npm?