NodeJS v16 and v18 false positive

[ReDemoNBR]

What happened:
Grype is reporting vulnerabilities CVE-2023-32003 and CVE-2023-32004, which describe being found on new experimental process-based permission model in NodeJS v20, however Grype is reporting the issue also in other versions, like the v16 LTS and v18 LTS, where this feature is not implemented

What you expected to happen:
Expect the vulnerabilities to be found in NodeJS v20 (< 20.5.1), not on v18 or v16.
I expect the affected version range to be >=20.0.0 <=20.5.0

How to reproduce it (as minimally and precisely as possible):

$ grype docker.io/node:16.20.2-alpine
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                    sha256:2573171e0124bb95d14d128728a52a97bb91  
 ✔ Cataloged packages              [233 packages]  
 ✔ Scanned for vulnerabilities     [3 vulnerabilities]  
   ├── 0 critical, 1 high, 2 medium, 0 low, 0 negligible
   └── 1 fixed
NAME    INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
node    16.20.2              binary  CVE-2023-32004       High      
node    16.20.2              binary  CVE-2023-32003       Medium    
semver  7.3.7      7.5.2     npm     GHSA-c2qf-rxjj-qqgw  Medium
$ grype docker.io/node:18-alpine
 ✔ Vulnerability DB                [no update available]  
 ✔ Parsed image                    sha256:50c7e33a9de1d9f3412cdd53e2d6a00adc24  
 ✔ Cataloged packages              [285 packages]  
 ✔ Scanned for vulnerabilities     [3 vulnerabilities]  
   ├── 0 critical, 1 high, 2 medium, 0 low, 0 negligible
   └── 1 fixed
NAME    INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY 
node    18.17.1              binary  CVE-2023-32004       High      
node    18.17.1              binary  CVE-2023-32003       Medium    
semver  7.5.1      7.5.2     npm     GHSA-c2qf-rxjj-qqgw  Medium

Anything else we need to know?:

• The mentioned vulnerabilities are addressed in NodeJS v20.5.1
• Process-based permission docs in NodeJS v20
• I did not test this with other versions, like v14

Environment:

• Output of grype version:

Application:          grype
Version:              0.65.2
Syft Version:         v0.87.1
BuildDate:            2023-08-17T20:03:30Z
GitCommit:            51223cd0b1069c7c7bbc27af1deec3e96ad3e07d
GitDescription:       v0.65.2
Platform:             linux/amd64
GoVersion:            go1.19.12
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

NAME="EndeavourOS"
PRETTY_NAME="EndeavourOS"
ID="endeavouros"
ID_LIKE="arch"
BUILD_ID="2021.12.17"
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://endeavouros.com"
DOCUMENTATION_URL="https://discovery.endeavouros.com"
SUPPORT_URL="https://forum.endeavouros.com"
BUG_REPORT_URL="https://forum.endeavouros.com/c/arch-based-related-questions/bug-reports"
PRIVACY_POLICY_URL="https://endeavouros.com/privacy-policy-2"
LOGO="endeavouros"

[kzantow]

Thanks for the report @ReDemoNBR. I'm not sure how we would be able to fix this -- the NVD data does not appear to have the version range correct, if you look at: https://nvd.nist.gov/vuln/detail/CVE-2023-32003 and https://nvd.nist.gov/vuln/detail/CVE-2023-32004, these both state the affected versions are:

Up to (including)
20.5.0

Until the NVD data gets corrected, Grype will continue to show these vulnerabilities on older versions of node.

[kzantow]

As an intermediate workaround, you would be able to add to a grype configuration file matches to ignore: https://github.com/anchore/grype#specifying-matches-to-ignore

[ReDemoNBR]

I added the ignore rules to whitelist them in my .grype.yaml config file.

If anyone else is having issues with this, continue reading.

I had 2 ideas to handle these findings, one of them is strict and the other is loose. The first is to only whitelist (ignore) the 2 vulnerabilities found, and the other one is more generic.

Strict

I use this with the official NodeJS image from Docker Hub as a base image.
The official image compiles the binary file, and is not installed from a package manager, hence why the package:type is binary. If you install it from a package manager, like apk (Alpine) or apt (Debian/Ubuntu), be sure to change the package type

ignore:
  - vulnerability: CVE-2023-32003
    fix-state: unknown
    package:
      type: binary
      version: 18.17.1 # if you are using dynamic image tags like "lts", then remove this line
  - vulnerability: CVE-2023-32003
    fix-state: unknown
    package:
      type: binary
      version: 18.17.1 # if you are using dynamic image tags like "lts", then remove this line

The version must be strict equal and does not support a version range like >=18.0.0 <20.0.0

Loose

This is very generic and we use this config for other projects during Continuous Integration workflows to alert my team on actions required on our end.
Please, watch out, as this may add some openings for vulnerabilities in your project. If you are reading this, please consider researching on vulnerability assessment before applying this

So the configuration is to ignore issues with the following fix states:

• wont-fix: When vendors declare it is developer's responsibility or misusage (ex: a download tool that had a report about downloading malware, when the tool claims antivirus is out of scope and the antivirus check should be done by the developers using it)
• not-fixed: When vendors still have no fix available for the vulnerability
• unknown: When vulnerabilities are still being evaluated or disputed

So it would be something like this:

ignore:
  - fix-state: unknown
  - fix-state: wont-fix
  - fix-state: not-fixed

[ReDemoNBR]

If nobody has anything else to add on this, this issue may be closed

[joshbressers]

I have mailed NVD requesting a change to the CPE versions for these IDs.

I'll update the issue once I hear back from them

[tgerla]

Hey @joshbressers, I just checked the NVD and it appears as though they have not corrected the "Up to" version info. Have you heard back from your request?

[spiffcs]

This one has been fixed: with latest grype:

go run cmd/grype/main.go docker.io/node:16.20.2-alpine
 ✔ Vulnerability DB                [no update available]
 ✔ Pulled image
 ✔ Loaded image                                                                                                   index.docker.io/library/node:16.20.2-alpine
 ✔ Parsed image                                                                       sha256:d56236570077f3147f86e01c7b7d1137505d2872e6b654d76f5f6be52dd5daac
 ✔ Cataloged contents                                                                        b300666eb10c2d3cd4ce96b84d34f887e81246b7655de0f83f078cb01cea890b
   ├── ✔ Packages                        [232 packages]
   ├── ✔ File digests                    [81 files]
   ├── ✔ File metadata                   [81 locations]
   └── ✔ Executables                     [20 executables]
 ✔ Scanned for vulnerabilities     [41 vulnerability matches]
   ├── by severity: 2 critical, 7 high, 23 medium, 1 low, 0 negligible (8 unknown)
   └── by status:   33 fixed, 8 not-fixed, 0 ignored
NAME           INSTALLED  FIXED-IN   TYPE    VULNERABILITY        SEVERITY
busybox        1.36.1-r2  1.36.1-r6  apk     CVE-2023-42366       Medium
busybox        1.36.1-r2  1.36.1-r7  apk     CVE-2023-42365       Medium
busybox        1.36.1-r2  1.36.1-r7  apk     CVE-2023-42364       Medium
busybox        1.36.1-r2  1.36.1-r7  apk     CVE-2023-42363       Medium
busybox-binsh  1.36.1-r2  1.36.1-r6  apk     CVE-2023-42366       Medium
busybox-binsh  1.36.1-r2  1.36.1-r7  apk     CVE-2023-42365       Medium
busybox-binsh  1.36.1-r2  1.36.1-r7  apk     CVE-2023-42364       Medium
busybox-binsh  1.36.1-r2  1.36.1-r7  apk     CVE-2023-42363       Medium
ip             2.0.0                 npm     GHSA-2p57-rm9w-gvfp  High
ip             2.0.0      2.0.1      npm     GHSA-78xj-cgh5-2h22  Low
libcrypto3     3.1.2-r0   3.1.6-r0   apk     CVE-2024-5535        Critical
libcrypto3     3.1.2-r0   3.1.4-r0   apk     CVE-2023-5363        High
libcrypto3     3.1.2-r0   3.1.4-r5   apk     CVE-2024-0727        Medium
libcrypto3     3.1.2-r0   3.1.4-r3   apk     CVE-2023-6129        Medium
libcrypto3     3.1.2-r0   3.1.4-r1   apk     CVE-2023-5678        Medium
libcrypto3     3.1.2-r0   3.1.6-r0   apk     CVE-2024-4741        Unknown
libcrypto3     3.1.2-r0   3.1.5-r0   apk     CVE-2024-4603        Unknown
libcrypto3     3.1.2-r0   3.1.4-r6   apk     CVE-2024-2511        Unknown
libcrypto3     3.1.2-r0   3.1.4-r4   apk     CVE-2023-6237        Unknown
libssl3        3.1.2-r0   3.1.6-r0   apk     CVE-2024-5535        Critical
libssl3        3.1.2-r0   3.1.4-r0   apk     CVE-2023-5363        High
libssl3        3.1.2-r0   3.1.4-r5   apk     CVE-2024-0727        Medium
libssl3        3.1.2-r0   3.1.4-r3   apk     CVE-2023-6129        Medium
libssl3        3.1.2-r0   3.1.4-r1   apk     CVE-2023-5678        Medium
libssl3        3.1.2-r0   3.1.6-r0   apk     CVE-2024-4741        Unknown
libssl3        3.1.2-r0   3.1.5-r0   apk     CVE-2024-4603        Unknown
libssl3        3.1.2-r0   3.1.4-r6   apk     CVE-2024-2511        Unknown
libssl3        3.1.2-r0   3.1.4-r4   apk     CVE-2023-6237        Unknown
node           16.20.2               binary  CVE-2024-27983       High
node           16.20.2               binary  CVE-2024-22019       High
node           16.20.2               binary  CVE-2024-21892       High
node           16.20.2               binary  CVE-2023-44487       High
node           16.20.2               binary  CVE-2024-27982       Medium
node           16.20.2               binary  CVE-2024-22025       Medium
node           16.20.2               binary  CVE-2024-22020       Medium

grype docker.io/node:18-alpine
 ✔ Vulnerability DB                [no update available]
 ✔ Pulled image
 ✔ Loaded image                                                                                                        index.docker.io/library/node:18-alpine
 ✔ Parsed image                                                                       sha256:b0c5385c383cf88d465e1e7392b5840adb2d705d1754791ab1d568d9fe3c62db
 ✔ Cataloged contents                                                                        0132b0f595fcbe2f145f9bd93388027d13ca1982fcf1248b3bb9d0094af5bd84
   ├── ✔ Packages                        [227 packages]
   ├── ✔ File digests                    [79 files]
   ├── ✔ File metadata                   [79 locations]
   └── ✔ Executables                     [20 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found
A newer version of grype is available for download: 0.79.4 (installed version is 0.79.3)