You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FROM registry.access.redhat.com/ubi8/nodejs-14:latest
USER root
RUN yum update -y nodejs-nodemon-2.0.3
However, Clair scan always report following error. Tried updating nodejs-nodemon package using various ways, however nothing is resolving issue. From investigation so far, it seems that "RHSA-2021:0549" and "RHSA-2021:0734" are related to nodejs12 hence tried to explicitly update nodejs12 using command RUN yum -y module update nodejs:12 however that also doesn't help. Any suggestion on how this issue can be resolved ?
2021/06/01 11:57:20 [WARN] ▶ Image [test:31may] contains 2 total vulnerabilities
2021/06/01 11:57:20 [ERRO] ▶ Image [test:31may] contains 2 unapproved vulnerabilities
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
| Unapproved | High RHSA-2021:0734 | nodejs-nodemon | 2.0.3-1.module+el8.3.0+6519+9f98ed83 | Node.js is a software development platform |
| | | | | for building fast and scalable network |
| | | | | applications in the JavaScript programming |
| | | | | language. The following packages have |
| | | | | been upgraded to a later upstream version: |
| | | | | nodejs (12.21.0). Security Fix(es): * |
| | | | | nodejs: HTTP2 'unknownProtocol' cause DoS |
| | | | | by resource exhaustion (CVE-2021-22883) |
| | | | | * nodejs: DNS rebinding in --inspect |
| | | | | (CVE-2021-22884) For more details about the |
| | | | | security issue(s), including the impact, |
| | | | | a CVSS score, acknowledgments, and other |
| | | | | related information, refer to the CVE |
| | | | | page(s) listed in the References section. |
| | | | | https://access.redhat.com/errata/RHSA-2021:0734 |
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
| Unapproved | Medium RHSA-2021:0549 | nodejs-nodemon | 2.0.3-1.module+el8.3.0+6519+9f98ed83 | Node.js is a software development platform for |
| | | | | building fast and scalable network applications |
| | | | | in the JavaScript programming language. The |
| | | | | following packages have been upgraded to a |
| | | | | later upstream version: nodejs (12.20.1), |
| | | | | nodejs-nodemon (2.0.3). Security Fix(es): |
| | | | | * nodejs-mixin-deep: prototype pollution |
| | | | | in function mixin-deep (CVE-2019-10746) |
| | | | | * nodejs-set-value: prototype pollution |
| | | | | in function set-value (CVE-2019-10747) * |
| | | | | nodejs-npm-user-validate: improper input |
| | | | | validation when validating user emails |
| | | | | leads to ReDoS (CVE-2020-7754) * nodejs-ini: |
| | | | | prototype pollution via malicious INI file |
| | | | | (CVE-2020-7788) * nodejs: use-after-free |
| | | | | in the TLS implementation (CVE-2020-8265) |
| | | | | * nodejs: HTTP request smuggling via two |
| | | | | copies of a header field in an http request |
| | | | | (CVE-2020-8287) For more details about the |
| | | | | security issue(s), including the impact, |
| | | | | a CVSS score, acknowledgments, and other |
| | | | | related information, refer to the CVE |
| | | | | page(s) listed in the References section. |
| | | | | https://access.redhat.com/errata/RHSA-2021:0549 |
+------------+-----------------------+----------------+--------------------------------------+-------------------------------------------------+
{
"image": "test:31may",
"unapproved": [
"RHSA-2021:0549",
"RHSA-2021:0734"
],
"vulnerabilities": [
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.3.0+6519+9f98ed83",
"vulnerability": "RHSA-2021:0734",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.21.0). Security Fix(es): * nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion (CVE-2021-22883) * nodejs: DNS rebinding in --inspect (CVE-2021-22884) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:0734",
"severity": "High",
"fixedby": "0:2.0.3-1.module+el8.3.0+9715+1718613f"
},
{
"featurename": "nodejs-nodemon",
"featureversion": "2.0.3-1.module+el8.3.0+6519+9f98ed83",
"vulnerability": "RHSA-2021:0549",
"namespace": "centos:8",
"description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs (12.20.1), nodejs-nodemon (2.0.3). Security Fix(es): * nodejs-mixin-deep: prototype pollution in function mixin-deep (CVE-2019-10746) * nodejs-set-value: prototype pollution in function set-value (CVE-2019-10747) * nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS (CVE-2020-7754) * nodejs-ini: prototype pollution via malicious INI file (CVE-2020-7788) * nodejs: use-after-free in the TLS implementation (CVE-2020-8265) * nodejs: HTTP request smuggling via two copies of a header field in an http request (CVE-2020-8287) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"link": "https://access.redhat.com/errata/RHSA-2021:0549",
"severity": "Medium",
"fixedby": "0:2.0.3-1.module+el8.3.0+9715+1718613f"
}
]
}%
The text was updated successfully, but these errors were encountered:
Using pretty basic Dockerfile
However, Clair scan always report following error. Tried updating
nodejs-nodemon
package using various ways, however nothing is resolving issue. From investigation so far, it seems that "RHSA-2021:0549" and "RHSA-2021:0734" are related to nodejs12 hence tried to explicitly update nodejs12 using commandRUN yum -y module update nodejs:12
however that also doesn't help. Any suggestion on how this issue can be resolved ?The text was updated successfully, but these errors were encountered: