Trivy reporting vulnerabilities based on wrong package version in yarn projects

[brentswisher]

Description

When using a dependenciesMeta key in a yarn.lock file, trivy is incorrectly parsing dependency information resulting in invalid scan results and potentially missing vulnerabilities.

For example, in the following sample yarn.lockfile:

# This file is generated by running "yarn install" inside your project.
# Manual changes might be lost - proceed with caution!

__metadata:
  version: 6
  cacheKey: 8

"@company/some-consuming-package@workspace:.":
  version: 0.0.0-use.local
  resolution: "@company/some-consuming-package@workspace:."
  dependencies:
    "@company/some-dependency-package": v1.1.0
    devcert: ^1.2.2
  languageName: unknown
  linkType: soft

"@company/some-dependency-package@npm:v1.1.0":
  version: 1.1.0
  resolution: "@company/some-dependency-package@npm:1.1.0"
  dependencies:
    devcert: ^1.2.2
  dependenciesMeta:
    [email protected]:
      unplugged: true
  checksum: 0e2b2e2b4b
  languageName: node
  linkType: hard

Correctly parsing this would find:

• @company/some-dependency-package: 1.1.0
• devcert: 1.2.2

However, trivy parses it as follows:

• @company/some-dependency-package: 1.1.0
• devcert: 1.1.0

Because devcert v1.1.0 has vulnerabilities in versions prior to v1.2.1 and trivy incorrectly think 1.1.0 it installed, it reports those vulnerabilities:

While in this case it is resulting in a false positive, a false negative could also exist if some-dependency-package had a higher version than its dependency.

It appear to specifically be the version number (devcert@1.2.2) in dependenciesMeta which causes this to occur.

See https://github.com/brentswisher/trivy-bug-sample/blob/main/README.md for working samples proving out the bug and demonstrating it is specifically the version string in dependenciesMeta which causes the behavior.

Desired Behavior

When parsing yarn.lock files, Trivy correctly parses the dependencies so that it reports vulnerabilities correctly.

Actual Behavior

When parsing yarn.lock files, Trivy mistakenly uses a dependence's version number with it's sub-dependency name, resulting in invalid vulnerability scans.

Reproduction Steps

1. Download https://github.com/brentswisher/trivy-bug-sample/
2. Run `trivy fs failing/yarn.lock`
3. See it report the project has devcert v1.1.0 installed resulting in false postitives.

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

2023-11-13T14:46:10.637-0500	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-13T14:46:10.638-0500	DEBUG	Ignore statuses	{"statuses": null}
2023-11-13T14:46:10.647-0500	DEBUG	cache dir:  ******
2023-11-13T14:46:10.648-0500	DEBUG	DB update was skipped because the local DB is the latest
2023-11-13T14:46:10.648-0500	DEBUG	DB Schema: 2, UpdatedAt: 2023-11-13 18:11:25.596328759 +0000 UTC, NextUpdate: 2023-11-14 00:11:25.596328368 +0000 UTC, DownloadedAt: 2023-11-13 18:18:15.801778 +0000 UTC
2023-11-13T14:46:10.648-0500	INFO	Vulnerability scanning is enabled
2023-11-13T14:46:10.648-0500	DEBUG	Vulnerability type:  [os library]
2023-11-13T14:46:10.648-0500	INFO	Secret scanning is enabled
2023-11-13T14:46:10.648-0500	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-13T14:46:10.648-0500	INFO	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-13T14:46:10.648-0500	DEBUG	No secret config detected: trivy-secret.yaml
2023-11-13T14:46:10.648-0500	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-13T14:46:10.649-0500	DEBUG	Walk the file tree rooted at 'failing/yarn.lock' in parallel
2023-11-13T14:46:10.649-0500	DEBUG	Unable to traverse licenses: 2 errors occurred:
	* walk error: stat node_modules: file does not exist
	* fs error: file does not exist


2023-11-13T14:46:10.649-0500	DEBUG	Yarn: package.json not found
2023-11-13T14:46:10.660-0500	DEBUG	OS is not detected.
2023-11-13T14:46:10.660-0500	DEBUG	Detected OS: unknown
2023-11-13T14:46:10.660-0500	INFO	Number of language-specific files: 1
2023-11-13T14:46:10.660-0500	INFO	Detecting yarn vulnerabilities...
2023-11-13T14:46:10.660-0500	DEBUG	Detecting library vulnerabilities, type: yarn, path: yarn.lock

yarn.lock (yarn)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                      Title                      │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────┤
│ devcert │ CVE-2020-8186 │ HIGH     │ fixed  │ 1.1.0             │ 1.1.2         │ Injection and Command Injection in devcert      │
│         │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8186       │
│         ├───────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────┤
│         │ CVE-2022-1929 │          │        │                   │ 1.2.1         │ Regular expression denial of service in devcert │
│         │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-1929       │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────

Operating System

macOS 13.5.2

Version

Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-13 18:11:25.596328759 +0000 UTC
  NextUpdate: 2023-11-14 00:11:25.596328368 +0000 UTC
  DownloadedAt: 2023-11-13 18:18:15.801778 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-08-31 01:01:47.046108083 +0000 UTC
  NextUpdate: 2023-09-03 01:01:47.046107383 +0000 UTC
  DownloadedAt: 2023-08-31 16:20:01.711957 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @brentswisher
Thanks for your report!

Did you remove https://github.com/brentswisher/trivy-bug-sample/ repository?
Or is this private repository?

Regards, Dmitriy

[brentswisher]

@DmitriyLewen Sorry about that, it was set to private, you should be able to see it now?

[DmitriyLewen]

Yes. I currently see your repository.
But I'm confused.
If I remember correctly, your yarn.lock file should contain one more root block for devcert dependency:

"devcert@npm:^1.2.2":
  version: 1.2.2
  resolution: "devcert@npm:1.2.2"
...

Did you correct lock file manually?

[DmitriyLewen]

But I was able to reproduce your error with wrong package name. Problem with dependencyMeta field.

[brentswisher]

👍 yes, I do have that devcert block in the original project where I observed this, I created those samples because that project's yarn.lock is several hundred lines and this was all that is needed to recreate it

[DmitriyLewen]

Created #5575 for this task.