Skip to content

fix(ci): suppress cdxgen-vendored lodash/minimist node-pkg CVEs in worker image-scan #407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
haksungjang merged 1 commit into from
Jun 14, 2026
+47 −0
Merged

fix(ci): suppress cdxgen-vendored lodash/minimist node-pkg CVEs in worker image-scan #407

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,53 @@ CVE-2026-24051
# under the same rationale.
CVE-2026-39883

# ----------------------------------------------------------------------------
# cdxgen Node node-pkg dependency CVEs (lodash, minimist).
#
# Trivy's node-pkg analyzer reports these against npm packages vendored under
# cdxgen's global install tree (usr/lib/node_modules/@cyclonedx/cdxgen/...).
# They are pulled by a PLATFORM-GATED (cpu=x64 / os=linux) transitive of
# cdxgen's dependency graph: a fresh `npm install -g @cyclonedx/cdxgen@12.3.3`
# on linux/amd64 (the CI image-scan platform) resolves lodash 4.17.19 +
# minimist 1.2.5, while the same install on linux/arm64 and macOS resolves
# NEITHER — which is why they surfaced only on a no-cache amd64 rebuild in CI
# and are invisible to local arm64 repros. Category (3): cdxgen runtime never
# enters the vulnerable sinks. Our only cdxgen invocation is
# cdxgen -r -o <out> --spec-version 1.5 <src>
# (apps/backend/integrations/cdxgen.py) — dependency ENUMERATION from a repo's
# manifests/lockfiles. cdxgen's own argv is fixed by us (never attacker argv),
# and it never calls lodash.template() with scanned-repo content.
# ----------------------------------------------------------------------------

# CVE-2021-23337 — lodash 4.17.19 → 4.17.21 — HIGH
# Target: usr/lib/node_modules/@cyclonedx/cdxgen/.../node_modules/lodash
# CVSS: HIGH (command injection via lodash.template template string).
# Reach: requires calling lodash.template() with an attacker-controlled
# template. cdxgen parses dependency manifests structurally and never
# compiles a template from scanned-repo input; the worker never calls
# lodash directly. UNREACHED.
# Re-evaluate: 2026-12-14 or when cdxgen ships a lodash≥4.17.21 tree.
CVE-2021-23337

# CVE-2026-4800 — lodash 4.17.19 → 4.18.0 — HIGH
# Target: usr/lib/node_modules/@cyclonedx/cdxgen/.../node_modules/lodash
# CVSS: HIGH (arbitrary code execution via untrusted input in template
# imports — same lodash.template sink, newer disclosure).
# Reach: same as CVE-2021-23337 — no lodash.template call on untrusted input
# anywhere in cdxgen's enumeration path or the worker. UNREACHED.
# Re-evaluate: 2026-12-14 or when cdxgen ships a lodash≥4.18.0 tree.
CVE-2026-4800

# CVE-2021-44906 — minimist 1.2.5 → 1.2.6 — CRITICAL
# Target: usr/lib/node_modules/@cyclonedx/cdxgen/.../node_modules/minimist
# CVSS: CRITICAL (prototype pollution via crafted argv passed to minimist).
# Reach: the pollution primitive requires feeding attacker-controlled argv
# (e.g. `--__proto__.x`) to minimist's parser. cdxgen's CLI argv is the
# fixed vector we pass above; a scanned repo cannot influence cdxgen's own
# argv, and the worker never invokes minimist. UNREACHED.
# Re-evaluate: 2026-12-14 or when cdxgen ships a minimist≥1.2.6 tree.
CVE-2021-44906

# ---------------------------------------------------------------------------
# Maven 3.9.x bundle (chore PR #4 worker image): JARs vendored alongside
# the `mvn` binary so we can run `mvn dependency:tree` for the Java
Expand Down
Loading