Latest vulnerability fixes

[MukuFlash03]

Summary
1 CRITICAL package - ip

1. Upgrading node-alpine docker image to latest available version.
   This node image does not contain the ip package at all. Additionally, the latest ip version 2.0.1 might not contain the remediation as yet.

---

DETAILS

---

Packages present in:
$ cd /usr/local/lib/node_modules/npm/node_modules

Checked packages list and version number using:
$ apk info
$ apk list -i | grep ip

1. ip
   Upgraded base node image to latest version - node:21.7.2-alpine

Findings:
Initially, a new node-alpine version was released but it had only 23 packages while originally the previous node images had 240 packages.

The official github repo for ip package shows updated version.
However, the latest update version 2.0.1 might not be safe as mentioned in this stackoverflow post.

Now, another newer version is available which has 233 packages but no ip package. 

This package has an ip-address package though which was not there in the previous node image version.

NPM ip: https://www.npmjs.com/package/ip
NPM ip-address: https://www.npmjs.com/package/ip-address

So going ahead with this as this is the latest node image version available without any vulnerabilties.

[shankari]

@Abby-Wheelis for visibility into DevOps changes

[shankari]

@MukuFlash03 I am fine with making this change, but I am a bit confused by the update.

1. The packages present in cd /usr/local/lib/node_modules/npm/node_modules are npm packages. They are not the same as the packages displayed using apk, which are alpine (aka OS packages)
2. The list of packages in dockerhub is also the set of alpine packages
3. Which package has the vulnerability? I don't see the link to the CVE

apk list -i | grep ip may or may not indicate that the vuln is fixed

This node image does not contain the ip package at all. Additionally, the latest ip version 2.0.1 might not contain the remediation as yet.

Given this, is the vulnerability fixed or not?

[MukuFlash03]

Alright, I understand the confusion and thank you clarifying the difference in the OS level packages. and npm packages.
Apologies, I mentioned the incorrect command for the node npm packages.

The one I mentioned was what I used for OS packages for one of the earlier vulnerabilities for openssl package.
For npm packages, npm list is the correct command that mentions the installed packages.

---

Coming to the actual vulnerability, it is in the ip package and this is the CVE link. AWS inspector mentions the affected version as 2.0.0 for the ip package.

Now I'm listing three node docker images related to this:

• 21.5.0-alpine - Current docker image version in our code which contains the ip package (2.0.0).
• 21.7.1-alpine) - This newer version has only 23 packages while originally the previous node images had 240 packages.
• 21.7.2-alpine - Latest image available which has 233 packages but no ip package. 


Hence, I decided to finalize the latest 21.7.2 alpine image.
Now, since the ip package itself isn't present in the latest available image, I do not think AWS inspector will flag the vulnerability.

So, the question really is whether ip package is being used by us in the code? Will its absence in the latest docker image affect us?

[shankari]

@MukuFlash03 I still don't understand the difference in packages between images, but 21.7.2 should be fine. Please remember to move the issue back after you are done addressing comments!

So, the question really is whether ip package is being used by us in the code? Will its absence in the latest docker image affect us?

I do not believe we use any OS packages directly. So as long as the libraries that use the OS packages have been fixed, we are fine. And if not, that is what staging is for. Ideally, we would have some basic automated testing in place to help test before staging as well, but that is a separate task

[MukuFlash03]

So, as I mentioned here that the command I initially mentioned (apk list...) was incorrect and is for OS packages as you pointed out. While, the vulnerable package (ip v. 2.0.0) is in fact a npm package and not an OS package.
So there were no OS packages with vulnerabilities.

Now, as I mentioned, 21.7.2 node alpine image doesn't contain the ip package at all.
There is however a new ip-address package in this latest image which wasn't present in the earlier 21.5.0 alpine image.
As proposed, we can move ahead with this image, if we don't use ip package directly or internally it might be handled by this new ip-address package.