-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
clair-4.7.2
-
False
-
None
-
False
-
-
Description:
This is an issue found in Quay 3.10, after pushed test image to Quay, the image has various NodeJS vulnerability, but Quay can't scan and report all NodeJS related vulnerability(e.g. npm minimist) to Users, see the detailed npm vulnerability, pls review this issue.
Note: This issue is also existed in Quay 3.10
Quay: 3.10.3
Clair: clairctl version v4.7.2 (user) (claircore v1.5.19)
Test image: registry.access.redhat.com/openshift3/nodejs-010-rhel7
Quay 3.10.3
Vulnerabilities of NodesJS npm packages:
grype registry.access.redhat.com/openshift3/nodejs-010-rhel7 --scope all-layers | grep npm ✔ Vulnerability DB [no update available] ✔ Loaded image registry.access.redhat.com/openshift3/nodejs-010-rhel7:latest ✔ Parsed image sha256:226d0b1b7987b846224536b79904d9a69e220f6d37d24cd642584881da73470d ✔ Cataloged contents a65e4eaebff2be97c029beb8a027143ce86567c121894f54b67cd9045a4b0f31 ├── ✔ Packages [797 packages] ├── ✔ File digests [15,536 files] └── ✔ File metadata [15,536 locations] ✔ Scanned for vulnerabilities [3863 vulnerability matches] ├── by severity: 21 critical, 332 high, 2150 medium, 1344 low, 0 negligible (16 unknown) └── by status: 1493 fixed, 2370 not-fixed, 0 ignored [0006] WARN unable to extract licenses from javascript package.json: unmarshal failed bl 1.0.0 1.0.1 npm GHSA-wrw9-m778-g6mc Medium bl 1.0.0 1.2.3 npm GHSA-pp7h-53gx-mx7r Medium brace-expansion 1.1.1 1.1.7 npm GHSA-832h-xg76-4gv6 High braces 1.8.2 2.3.1 npm GHSA-g95f-p29q-9xw4 Low braces 1.8.2 2.3.1 npm GHSA-cwfw-4gq5-mrqx Low chownr 1.0.1 1.1.0 npm GHSA-c6rq-rjc2-86v2 Low concat-stream 1.4.4 1.4.11 npm GHSA-g74r-ffvr-5q9f Medium debug 2.2.0 2.6.9 npm GHSA-9vvw-cc9w-f27h High debug 2.2.0 2.6.9 npm GHSA-gxpj-cx7g-858c Medium deep-extend 0.3.2 0.5.1 npm GHSA-hr2v-3952-633q Critical fstream 1.0.3 1.0.12 npm GHSA-xf7w-r453-m56c High glob-parent 2.0.0 5.1.2 npm GHSA-ww39-953v-wcq6 High got 5.2.1 11.8.5 npm GHSA-pfrx-2q88-qq97 Medium hosted-git-info 2.1.4 2.8.9 npm GHSA-43f8-2h32-f4cj Medium ini 1.2.0 1.3.6 npm GHSA-qqgx-2p2h-9c37 High minimatch 3.0.2 3.0.5 npm GHSA-f8q6-p94x-37v3 High minimist 0.0.8 0.2.4 npm GHSA-xvch-5gv4-984h Critical minimist 0.0.8 0.2.1 npm GHSA-vh95-rmgr-6w4m Medium ms 0.7.1 2.0.0 npm GHSA-w9mr-4mfr-499f Medium node-uuid 1.4.1 1.4.4 npm GHSA-265q-28rp-chq5 High npm 2.14.13 6.13.3 npm GHSA-x8qc-rrcw-4r46 High npm 2.14.13 5.7.1 npm GHSA-ph34-pc88-72gc High npm 2.14.13 6.13.3 npm GHSA-m6cx-g6qm-p2cx High npm 2.14.13 2.15.1 npm GHSA-m5h6-hr3q-22h5 High npm 2.14.13 6.13.4 npm GHSA-4328-8hgf-7wjr High npm 2.14.13 6.14.6 npm GHSA-93f3-23rq-pjfp Medium npm-user-validate 0.1.1 1.0.1 npm GHSA-pw54-mh39-w3hc High npm-user-validate 0.1.1 1.0.1 npm GHSA-xgh6-85xh-479p Low qs 0.6.5 1.0.0 npm GHSA-jjv7-qpx3-h62q High qs 0.6.5 6.2.4 npm GHSA-hrpp-h998-j3pp High qs 0.6.5 6.0.4 npm GHSA-gqgv-6jq5-jjj9 High qs 0.6.5 1.0.0 npm GHSA-f9cm-p3w6-xvr3 High randomatic 1.1.5 3.0.0 npm GHSA-6g33-f262-xjp4 Medium request 2.42.0 npm GHSA-p8p7-x288-28g6 Medium request 2.42.0 2.68.0 npm GHSA-7xfp-9c55-5vqj Medium semver 5.0.3 5.7.2 npm GHSA-c2qf-rxjj-qqgw Medium tar 2.2.1 3.2.3 npm GHSA-r628-mhmh-qjhw High tar 2.2.1 4.4.18 npm GHSA-qq89-hq3f-393p High tar 2.2.1 2.2.2 npm GHSA-j44m-qm6p-hp7m High tar 2.2.1 4.4.16 npm GHSA-9r2w-394v-53qc High tar 2.2.1 4.4.18 npm GHSA-5955-9wpr-37jh High tar 2.2.1 3.2.2 npm GHSA-3jfq-g458-7qm9 High tunnel-agent 0.3.0 0.6.0 npm GHSA-xc7v-wxcw-j472 Medium undefsafe 0.0.3 2.0.3 npm GHSA-332q-7ff2-57h2 Medium
