Skip to content

CVE scan job does not scan source files #14

Open
Open
CVE scan job does not scan source files#14
@marriva

Description

@marriva
marriva
opened on Apr 8, 2025

For example, frontend image scan report does not show any vulnerabilities, but there are high and medium vulnerabilities in package dependencies.

trivy image scan:

----------------------------------------------
👾 Image: frontend
    Scanning commander::frontend
    Done
 Uploading trivy CVE report for image frontend of commander module

trivy filesystem scan:

images/frontend/package-lock.json (npm)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │            Fixed Version             │                            Title                             │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vite     │ CVE-2025-30208 │ MEDIUM   │ fixed  │ 6.2.0             │ 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10 │ vite: Vite bypasses server.fs.deny when using `?raw??`       │
│          │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2025-30208                   │
│          ├────────────────┤          │        │                   ├──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-31125 │          │        │                   │ 6.2.4, 6.1.3, 6.0.13, 5.4.16, 4.5.11 │ vite: Vite has a `server.fs.deny` bypassed for `inline` and  │
│          │                │          │        │                   │                                      │ `raw` with `?import`...                                      │
│          │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2025-31125                   │
│          ├────────────────┤          │        │                   ├──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-31486 │          │        │                   │ 6.2.5, 6.1.4, 6.0.14, 5.4.17, 4.5.12 │ vite: Vite allows server.fs.deny to be bypassed with .svg or │
│          │                │          │        │                   │                                      │ relative paths...                                            │
│          │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2025-31486                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vue-i18n │ CVE-2025-27597 │ HIGH     │        │ 9.14.2            │ 9.14.3, 10.0.6, 11.1.2               │ Vue I18n Allows Prototype Pollution in `handleFlatJson`      │
│          │                │          │        │                   │                                      │ https://avd.aquasec.com/nvd/cve-2025-27597                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions