fix(ci): suppress cdxgen-vendored lodash/minimist node-pkg CVEs in worker image-scan#407
Merged
Merged
Conversation
…rker image-scan A no-cache linux/amd64 rebuild of the worker image (image-scan gate) HARD-fails on three node-pkg findings vendored under cdxgen's global install tree: - lodash 4.17.19 CVE-2021-23337 (HIGH), CVE-2026-4800 (HIGH) - minimist 1.2.5 CVE-2021-44906 (CRITICAL) These are pulled by a platform-gated (cpu=x64/os=linux) transitive of cdxgen's dependency graph: a fresh `npm install -g @cyclonedx/cdxgen@12.3.3` on linux/amd64 resolves them, while the same install on arm64/macOS resolves neither — so they were masked by the cached worker layer (image-scan passed on #404/#405) and surfaced only once that GHA cache evicted and CI did a clean amd64 rebuild. It is a pre-existing, main-wide latent issue, unrelated to any one feature PR. Add .trivyignore entries following the file's policy (CVE + target + CVSS + reach analysis + re-evaluate date). All three are UNREACHED: cdxgen is invoked only for dependency enumeration with a fixed argv, never calls lodash.template on scanned-repo input, and the worker never invokes lodash/minimist directly. Re-evaluate when cdxgen ships a fixed vendored tree.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
A no-cache
linux/amd64rebuild of the worker image (theimage-scangate) HARD-fails on three node-pkg findings vendored under cdxgen's global install tree:Why it surfaced now (not a regression)
These are pulled by a platform-gated (cpu=x64 / os=linux) transitive of cdxgen's dependency graph. A fresh
npm install -g @cyclonedx/cdxgen@12.3.3onlinux/amd64(the CI image-scan platform) resolves lodash 4.17.19 + minimist 1.2.5; the same install onlinux/arm64and macOS resolves neither (verified locally). So they were masked by the cached worker layer —image-scanpassed on #404/#405 — and surfaced only once thescope=workerGHA cache evicted and CI did a clean amd64 rebuild (confirmedCACHED=0). Pre-existing, main-wide, unrelated to any one feature PR; it just happened to surface while a feature branch forced a rebuild.Fix
Add three
.trivyignoreentries following the file's existing policy (CVE + bundled artifact + Trivy target path + upstream fix status + reach analysis + re-evaluate date). All three are UNREACHED, Category (3) (vulnerable entry points never invoked by the worker runtime):cdxgen -r -o <out> --spec-version 1.5 <src>— dependency enumeration from a repo's manifests. cdxgen's argv is the fixed vector we pass (never attacker argv → minimist prototype-pollution unreachable), and it never callslodash.template()on scanned-repo content (→ lodash template-injection unreachable). The worker never invokes lodash/minimist directly.Re-evaluate when cdxgen ships a vendored tree with lodash ≥ 4.17.21 / minimist ≥ 1.2.6.
Note
This is the deterministic fix (works for cache hit and miss), unlike a cdxgen version bump (12.5.1 is equally affected on amd64) or a cache-scope bump (a clean rebuild still pulls the vulnerable transitives). Unblocks #406 once merged to main.