vishalsawale9 opened a new issue #17002: URL: https://github.com/apache/superset/issues/17002
### Issue Description We have been using Apache Superset on Kubernetes. We scan images with Trivy to identify any vulnerabilities in our container images. In one of our routine Trivy scans against the last released Superset image tag [1.3](https://github.com/apache/superset/releases/tag/1.3.0), we identified a few npm package vulnerabilities. We reached out to ASF security mailing list, but per them - these are dependencies that do not have context as to how they are used in the project and should be treated as a normal bug. #### How to reproduce the bug - Install Trivy: ``` 1) curl -sL -o install.sh "https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh"; 2) chmod +x install.sh 3) ./install.sh v0.19.2 ``` - Run trivy against image `1.3` ``` trivy image --vuln-type 'os,library' --ignore-unfixed --format 'table' docker.io/apache/superset:1.3.0 ``` ### Expected results No CVE issues which are HIGH or CRITICAL ideally. ### Actual results We are seeing few CVE issues in `package-lock.json` file. #### Screenshots If applicable, add screenshots to help explain your problem. ### Environment (please complete the following information): - browser type and version: N/A - superset version: `superset version` 1.3.0 - python version: `python --version` 3.8.12 - node.js version: `node -v` - any feature flags active: ### Checklist Make sure to follow these steps before submitting your issue - thank you! - [ ] I have checked the superset logs for python stacktraces and included it here as text if there are any. - [ ] I have reproduced the issue with at least the latest released version of superset. - [x] I have checked the issue tracker for the same issue and I haven't found one similar. ### Additional context Below is the Trivy scan result: ``` ➜ trivy image --vuln-type 'os,library' --ignore-unfixed --format 'table' docker.io/apache/superset:1.3.0 app/superset-frontend/package-lock.json (npm) ============================================= Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 5, CRITICAL: 3) +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | datatables.net | CVE-2021-23445 | MEDIUM | 1.10.24 | 1.11.3 | Cross site scripting | | | | | | | in datatables.net | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23445 | +----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | esm | GHSA-qx4v-6gc5-f2vv | | 3.0.84 | 3.1.0 | Regular Expression Denial of Service | | | | | | | -->github.com/advisories/GHSA-qx4v-6gc5-f2vv | +----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | highlight.js | GHSA-7wwv-vh3v-89cq | | 10.3.2 | 10.4.1 | ReDOS vulnerabities: multiple grammars | | | | | | | -->github.com/advisories/GHSA-7wwv-vh3v-89cq | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | immer | CVE-2021-23436 | CRITICAL | 8.0.1 | 9.0.6 | Prototype Pollution in immer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23436 | + +---------------------+ + + +----------------------------------------------+ | | CVE-2021-3757 | | | | nodejs-immer: prototype | | | | | | | pollution may lead to DoS | | | | | | | or remote code execution | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3757 | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | minimist | CVE-2020-7598 | MEDIUM | 0.0.5 | 1.2.3, 0.2.1 | nodejs-minimist: prototype | | | | | | | pollution allows adding | | | | | | | or modifying properties of | | | | | | | Object.prototype using a... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7598 | + + + +-------------------+ + + | | | | 0.0.8 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | node-fetch | CVE-2020-15168 | | 1.7.3 | 3.0.0-beta.9, 2.6.1 | node-fetch: size of data after | | | | | | | fetch() JS thread leads to DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2020-15168 | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | nth-check | CVE-2021-3803 | HIGH | 1.0.2 | 2.0.1 | nodejs-nth-check: inefficient | | | | | | | regular expression complexity | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3803 | +----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | path-parse | CVE-2021-23343 | | 1.0.6 | 1.0.7 | nodejs-path-parse: | | | | | | | ReDoS via splitDeviceRe, | | | | | | | splitTailRe and splitPathRe | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23343 | +----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | prismjs | CVE-2021-23341 | | 1.22.0 | 1.23.0 | nodejs-prismjs: Regular | | | | | | | expression denial of service | | | | | | | via prism-asciidoc prism-rest | | | | | | | prism-tap and prism-eiffel... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23341 | + +---------------------+----------+ +---------------------+----------------------------------------------+ | | CVE-2021-32723 | MEDIUM | | 1.24.0 | npm-prismjs: a malicious | | | | | | | (long) string will take a | | | | | | | long time to highlight... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-32723 | + +---------------------+ + +---------------------+----------------------------------------------+ | | CVE-2021-3801 | | | 1.25.0 | nodejs-prismjs: ReDoS vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3801 | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | trim | CVE-2020-7753 | HIGH | 0.0.1 | 0.0.3 | Regular Expression | | | | | | | Denial of Service in trim | | | | | | | -->avd.aquasec.com/nvd/cve-2020-7753 | +----------------+---------------------+ +-------------------+---------------------+----------------------------------------------+ | underscore | CVE-2021-23358 | | 1.12.0 | 1.12.1 | nodejs-underscore: Arbitrary code | | | | | | | execution via the template function | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23358 | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | urijs | CVE-2021-3647 | MEDIUM | 1.19.6 | 1.19.7 | Hostname spoofing via | | | | | | | backslashes in URL | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3647 | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ | zrender | CVE-2021-39227 | CRITICAL | 5.1.1 | 5.2.1 | Prototype Pollution in the | | | | | | | merge and clone helper methods | | | | | | | -->avd.aquasec.com/nvd/cve-2021-39227 | +----------------+---------------------+----------+-------------------+---------------------+----------------------------------------------+ ➜ ``` This was generated with the following command: `trivy image --vuln-type 'os,library' --ignore-unfixed --format 'table' docker.io/apache/superset:1.3.0 ` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
