`cves` command detects incorrect version (`0.0.0`) of a `devDependency` for a Node-based image

[velll]

👋 Hello Docker Scout team!

We have just found interesting behaviour when using command: cves on a Node-based image. For devDependencies Scout determines the used versions of the packages as 0.0.0.

Of course this version is very low and a dependency is marked vulnerable to every vulnerability ever discovered in the package.

These dependencies are not actually present in the image.
This seems to only happen in github actions, not in CLI or docker desktop.
This seems to happen only when analyzing an image that has the sbom.

Example

We are using concurrently (npm) to run a couple of scripts in a local development environment. We are not using it in production.

package.json:

	...
	"scripts": {
		"dev": "concurrently --raw ...",
		...
	},
	"dependencies": {
	...
	},
	"devDependencies": {
		...
		"concurrently": "^8.2.2",
		...
	}

This means concurrently is showing up in our yarn.lock

concurrently@^8.2.2:
  version "8.2.2"
  resolved "https://registry.yarnpkg.com/concurrently/-/concurrently-8.2.2.tgz#353141985c198cfa5e4a3ef90082c336b5851784"
  integrity sha512-1dP4gpXFhei8IOtlXRE/T/4H88ElHgTiUzh71YUmtjTEHMSRS2Z/fgOxHSxxusGHogsRfxNq1vyAwxSC+EVyDg==
  dependencies:
    chalk "^4.1.2"
    date-fns "^2.30.0"
    lodash "^4.17.21"
    rxjs "^7.8.1"
    shell-quote "^1.8.1"
    spawn-command "0.0.2"
    supports-color "^8.1.1"
    tree-kill "^1.2.2"
    yargs "^17.7.2"

concurrently depends on shell-quote, which had two critical vulnerabilities in past

• critical 9.8: CVE-2016-10541, Affected range <1.6.1
• critical 9.8: CVE-2021-42740, Affected range <=1.7.2

In our case

• we actually don't have shell-quote in our final image, it's only a devDependency
• if we did, we specify shell-quote 1.8.1 where both vulnerabilities are fixed

SBOM?

Interestingly enough, this only happens with images that have been built with sbom: true (docker/build-push-action@v5). If the image does not have the sbom attached, these dependencies do not show up in the output (correct).

As a workaround I disabled SBOM generation in our build pipeline. This is not nice of course.
I remember reading somewhere that sbom generation differs between scout and buildkit, can this be related?

Happy to provide more info if needed. Please feel free to reach out!

[mikeparker]

Hi again Pavel! Thanks for the detailed report. Any way we could check whats in the SBOM?

[velll]

Thank you for getting back so quickly Mike! I took a quick look into SBOMs.

I extracted the SBOM from the annotations of the built image

docker buildx imagetools inspect <image>:<tag> --format '{{ json .SBOM }}' > sbom.spdx.json

Using shell-quote from the example above: the sbom includes this block:

      { 
        "SPDXID": "SPDXRef-File-...dist-compiled-shell-quote-package.json-5b0f9f3f8ad47307",
        "checksums": [
          {
            "algorithm": "SHA256",
            "checksumValue": "907fda3052f7e1ece852b1cf025642aa3d90cb96ccccf4d568017d974002e9af"
          }
        ],
        "comment": "layerID: sha256:dda6d7f8178236754f036ff46a7e21bb1267306fd2c3030b38a6bcf7279aa851",
        "copyrightText": "",
        "fileName": "/app/node_modules/next/dist/compiled/shell-quote/package.json",
        "fileTypes": [
          "APPLICATION"
        ],
        "licenseConcluded": "NOASSERTION",
        "licenseInfoInFiles": [
          "NOASSERTION"
        ]
      },

No other mentions as far as I can see.

But when I generate a new SBOM for the image using docker scout CLI, this package does not show up anywhere

docker scout sbom <image>:<tag> --platform linux/amd64 --format json -o scout-sbom.spdx.json

If I understood correctly, this could explain why docker scout cves does not show these packages for the image built without an SBOM.

I can't share the full sboms right now, anyone who could sign off on that is already on holidays 😃
But if having them would help, I can pick this up again in the new year.

🎄 Happy holidays!

[mikeparker]

I'm no JS expert but AI tells me that this filepath /app/node_modules/next/dist/compiled/shell-quote/package.json means that shell-quote/package.json is bundled as part of NextJS rather than the devDependencies concurrently package, does that sound correct?

Also in terms of the version 0.0.0 I wonder if we can peek inside the package.json file, see if theres any version information in there.