http-cache-semantics trivy error CVE-2022-25881 unable to identify transitive dependency causing this

Question

We have a node js application which is failing due to a trivy scan error due to CVE-2022-25881 from http-cache-semantics. We have gone through the package.json and couldn't find any dependency or transitive dependency which is referring to this library. Can someone please help us to point how could we address it?

 "dependencies": {
"body-parser": "^1.20.1",
"express": "^4.18.2",
"mongodb": "^5.0.1",
"passport": "^0.6.0",
"passport-azure-ad": "^4.3.4"
}

dockerFile

FROM node:16.19-bullseye-slim
RUN mkdir -p /.npm
VOLUME /tmp
WORKDIR /app
COPY . /app/
# command to run when intantiate an image
CMD ["npm", "start", "--loglevel=verbose"]

score 4 · Accepted Answer · answered Feb 10 '23 at 16:46

4

This vulnerability comes from npm update npm to the latest version in your docker should resolve this finding

https://github.com/npm/cli/pull/6148

answered Feb 10 '23 at 16:46

MarkoCen

2,189
13
24

Thank you for this. I am new to node js, could you please let me know how can I update NPM in my docker to latest? We are using github actions to build the docker image. – Vishal Gada Feb 11 '23 at 13:48
3

I was able to update npm by using "RUN npm -g install npm@latest" command in docker file. The issue got resolved. – Vishal Gada Feb 13 '23 at 08:54

http-cache-semantics trivy error CVE-2022-25881 unable to identify transitive dependency causing this

1 Answers1