Peter_101
Reputation: 381
Why trivy scanner found vulnerabilities for dependencies that do not exist in my project?
I use the trivy GitHub action (aquasecurity/trivy-action@master) to scan my nestjs project, but keep getting the below vulnerabilities even though I have not used those packages directly and indirectly (no trace of them in my yarn.lock). why would trivy report these vulnerabilities?
┌─────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ dot-object (package.json) │ CVE-2019-10793 │ MEDIUM │ 1.1.0 │ 2.1.3 │ Prototype Pollution in dot-object │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-10793 │
├─────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │ HIGH │ 4.1.0 │ 4.1.1 │ http-cache-semantics: Regular Expression Denial of Service │
│ │ │ │ │ │ (ReDoS) vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25881 │
└─────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Upvotes: 1
Views: 2348
Answers (0)
Related Questions
- Why trivy not report same output?
- How to fix vulnerabilities found in DevOps container scans when they appear to come from dotnet-core runtime config files and not my actual project?
- Check Flutter / Dart dependencies for known vulnerabilities?
- "Attribute 'program' does not exist" for basic node.js project
- Why use peer dependencies in npm for plugins?
- Why not use HTTPS for everything?