Is the Trivy Nightly Docker Scan not detecting any Node.js files? #7460

danilohorta · 2025-08-15T18:33:11Z

danilohorta
Aug 15, 2025

That would explain a large inconsistence between a local scan I'm doing versus what we see in the CI (https://github.com/coder/code-server/actions/runs/16988109535/job/48161316994).

Enter

trivy image --severity HIGH,CRITICAL --ignore-unfixed docker.io/codercom/code-server:latest

using trivy version 0.65.0 (or 0.64.1 as in the CI) and you will see:

Node.js (node-pkg)

Total: 20 (HIGH: 16, CRITICAL: 4)

┌────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬──────────────────────┬──────────────────────────────────────────────────────────────┐
│          Library           │    Vulnerability    │ Severity │ Status │ Installed Version │    Fixed Version     │                            Title                             │
├────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ code-server (package.json) │ CVE-2023-26114      │ CRITICAL │ fixed  │ 1.103.0           │ 4.10.1               │ code-server vulnerable to Missing Origin Validation in       │
│                            │                     │          │        │                   │                      │ WebSockets                                                   │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2023-26114                   │
│                            ├─────────────────────┼──────────┤        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-3810       │ HIGH     │        │                   │ 3.12.0               │ Inefficient Regular Expression Complexity in code-server     │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2021-3810                    │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2025-47269      │          │        │                   │ 4.99.4               │ code-server's session cookie can be extracted by having user │
│                            │                     │          │        │                   │                      │ visit specially crafted...                                   │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2025-47269                   │
├────────────────────────────┼─────────────────────┤          │        ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ diff (package.json)        │ GHSA-h6ch-v84p-w6p9 │          │        │ 1.0.0             │ 3.5.0                │ Regular Expression Denial of Service (ReDoS)                 │
│                            │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-h6ch-v84p-w6p9            │
├────────────────────────────┼─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ grunt (package.json)       │ CVE-2020-7729       │          │        │                   │ 1.3.0                │ The package grunt before 1.3.0 are vulnerable to Arbitrary   │
│                            │                     │          │        │                   │                      │ Code Execut ......                                           │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2020-7729                    │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2022-1537       │          │        │                   │ 1.5.3                │ gruntjs: race condition leading to arbitrary file write      │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2022-1537                    │
├────────────────────────────┼─────────────────────┼──────────┤        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ handlebars (package.json)  │ CVE-2019-19919      │ CRITICAL │        │                   │ 4.3.0, 3.0.8         │ nodejs-handlebars: prototype pollution leading to remote     │
│                            │                     │          │        │                   │                      │ code execution via crafted payloads                          │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-19919                   │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23369      │          │        │                   │ 4.7.7                │ nodejs-handlebars: Remote code execution when compiling      │
│                            │                     │          │        │                   │                      │ untrusted compile templates with strict:true option...       │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2021-23369                   │
│                            ├─────────────────────┤          │        │                   │                      ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2021-23383      │          │        │                   │                      │ nodejs-handlebars: Remote code execution when compiling      │
│                            │                     │          │        │                   │                      │ untrusted compile templates with compat:true option...       │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2021-23383                   │
│                            ├─────────────────────┼──────────┤        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2019-20920      │ HIGH     │        │                   │ 3.0.8, 4.5.3         │ nodejs-handlebars: lookup helper fails to properly validate  │
│                            │                     │          │        │                   │                      │ templates allowing for arbitrary JavaScript...               │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-20920                   │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ GHSA-2cf5-4w76-r9qv │          │        │                   │ 3.0.8, 4.5.2         │ Arbitrary Code Execution in handlebars                       │
│                            │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-2cf5-4w76-r9qv            │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ GHSA-g9r4-xpmj-mj65 │          │        │                   │ 3.0.8, 4.5.3         │ Prototype Pollution in handlebars                            │
│                            │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-g9r4-xpmj-mj65            │
│                            ├─────────────────────┤          │        │                   │                      ├──────────────────────────────────────────────────────────────┤
│                            │ GHSA-q2c6-c6pm-g3gh │          │        │                   │                      │ Arbitrary Code Execution in handlebars                       │
│                            │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-q2c6-c6pm-g3gh            │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ GHSA-q42p-pg8m-cqh6 │          │        │                   │ 4.1.2, 4.0.14, 3.0.7 │ Prototype Pollution in handlebars                            │
│                            │                     │          │        │                   │                      │ https://github.com/advisories/GHSA-q42p-pg8m-cqh6            │
├────────────────────────────┼─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ ini (package.json)         │ CVE-2020-7788       │          │        │                   │ 1.3.6                │ nodejs-ini: Prototype pollution via malicious INI file       │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2020-7788                    │
├────────────────────────────┼─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│ json (package.json)        │ CVE-2020-7712       │          │        │                   │ 10.0.0               │ trentm/json vulnerable to command injection                  │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2020-7712                    │
├────────────────────────────┼─────────────────────┤          │        ├───────────────────┼──────────────────────┼──────────────────────────────────────────────────────────────┤
│ npm (package.json)         │ CVE-2018-7408       │          │        │ 1.0.1             │ 5.7.1                │ Incorrect Permission Assignment for Critical Resource in NPM │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2018-7408                    │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2019-16775      │          │        │                   │ 6.13.3               │ npm: Symlink reference outside of node_modules folder        │
│                            │                     │          │        │                   │                      │ through the bin field upon...                                │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-16775                   │
│                            ├─────────────────────┤          │        │                   │                      ├──────────────────────────────────────────────────────────────┤
│                            │ CVE-2019-16776      │          │        │                   │                      │ npm: Arbitrary file write via constructed entry in the       │
│                            │                     │          │        │                   │                      │ package.json bin field...                                    │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-16776                   │
│                            ├─────────────────────┤          │        │                   ├──────────────────────┼──────────────────────────────────────────────────────────────┤
│                            │ CVE-2019-16777      │          │        │                   │ 6.13.4               │ npm: Global node_modules Binary Overwrite                    │
│                            │                     │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2019-16777                   │
└────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴──────────────────────┴──────────────────────────────────────────────────────────────┘

usr/local/bin/fixuid (gobinary)

Total: 6 (HIGH: 5, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ v1.20.7           │ 1.21.11, 1.22.4                  │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                                  │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39325 │ HIGH     │        │                   │ 1.20.10, 1.21.3                  │ golang: net/http, x/net/http2: rapid stream resets can cause │
│         │                │          │        │                   │                                  │ excessive work (CVE-2023-44487)                              │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45283 │          │        │                   │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\    │
│         │                │          │        │                   │                                  │ prefix as...                                                 │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1                   │ encoding/gob: golang: Calling Decoder.Decode on a message    │
│         │                │          │        │                   │                                  │ which contains deeply nested structures...                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-34156                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-47907 │          │        │                   │ 1.23.12, 1.24.6                  │ database/sql: Postgres Scan Race Condition                   │
│         │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2025-47907                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Line 144 of Step 3 (https://github.com/coder/code-server/actions/runs/16988109535/job/48161316994) is telling that trivy detect only 1 language-specific files (2025-08-15T10:25:56Z INFO Number of language-specific files num=1), while the above suggested command will report 2.

Does anybody have a clue why?

code-asher · 2025-08-15T20:45:03Z

code-asher
Aug 15, 2025
Maintainer

We did get alerts about usr/local/bin/fixuid but as far as I can tell, they are all unrelated (fixuid makes no network requests, for one thing). It seems to be marking everything Go-related, whether the program uses that thing or not.

The rest are false positives. See this for code-server, which we can prevent: #7071

And this for the rest, which I think we cannot prevent: #6332

1 reply

code-asher Aug 15, 2025
Maintainer

As for the actual question, whether that line indicates that our scan is skipping the package.json, I am not sure. Maybe something is misconfigured, or maybe it remembers that we dismissed those previously or that it already reported those to us or something.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Is the Trivy Nightly Docker Scan not detecting any Node.js files? #7460

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Is the Trivy Nightly Docker Scan not detecting any Node.js files? #7460

Uh oh!

danilohorta Aug 15, 2025

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

code-asher Aug 15, 2025 Maintainer

Uh oh!

Uh oh!

code-asher Aug 15, 2025 Maintainer

danilohorta
Aug 15, 2025

Replies: 1 comment 1 reply

code-asher
Aug 15, 2025
Maintainer

code-asher Aug 15, 2025
Maintainer