Node base image insecure #12
Description
Docker base image outdated and insecure
The node:9.2-alpine tag has not been updated in several years (3), resulting in a significant amount of accumulated potential security issues in the resulting image. Anchore grype reports the following:
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
chownr 1.0.1 CVE-2017-18869 Low
cryptiles 3.1.2 4.1.2 GHSA-rq8g-5pc5-wrhr High
cryptiles 3.1.2 CVE-2018-1000620 Critical
debug 2.6.8 2.6.9 GHSA-gxpj-cx7g-858c Low
debug 2.6.8 CVE-2017-16137 Medium
deep-extend 0.4.2 0.5.1 GHSA-hr2v-3952-633q Low
dot-prop 4.1.1 4.2.1 GHSA-ff7x-qrg7-qggm High
dot-prop 4.1.1 CVE-2020-8116 High
editor 1.0.0 CVE-2015-0903 High
extend 3.0.1 3.0.2 GHSA-qrmc-fj45-qfc2 Medium
extend 3.0.1 CVE-2018-16492 Critical
fstream 1.0.11 1.0.12 GHSA-xf7w-r453-m56c High
fstream 1.0.11 CVE-2019-13173 High
hoek 4.2.0 4.2.1 GHSA-jp4x-w63m-7wgm Medium
http-proxy-agent 2.0.0 2.1.0 GHSA-8w57-jfpm-945m High
https-proxy-agent 2.1.0 2.2.3 GHSA-pc5p-h8pf-mvwp High
https-proxy-agent 2.1.0 2.2.0 GHSA-8g7p-74h8-hg48 High
https-proxy-agent 2.1.0 CVE-2018-3739 Critical
lodash 3.10.1 4.17.19 GHSA-p6mc-m468-83gw Low
lodash 3.10.1 4.17.11 GHSA-x5rq-j2xg-h7qm Medium
lodash 3.10.1 4.17.11 GHSA-4xc9-xhrj-v574 High
lodash 3.10.1 4.17.12 GHSA-jf85-cpcp-j695 High
lodash 3.10.1 4.17.5 GHSA-fvqr-27wr-82fm Low
lodash 3.10.1 CVE-2018-3721 Medium
lodash 3.10.1 CVE-2018-16487 Medium
lodash 3.10.1 CVE-2019-1010266 Medium
lodash 3.10.1 CVE-2019-10744 Critical
lodash 3.10.1 CVE-2020-8203 High
mem 1.1.0 4.0.0 GHSA-4xcv-9jjx-gfj3 Low
minimist 1.2.0 1.2.3 GHSA-vh95-rmgr-6w4m Low
minimist 1.2.0 CVE-2020-7598 Medium
minimist 0.0.8 0.2.1 GHSA-7fhm-mqm4-2wp7 Medium
minimist 0.0.8 0.2.1 GHSA-vh95-rmgr-6w4m Low
minimist 0.0.8 CVE-2020-7598 Medium
npm 5.5.1 6.14.6 GHSA-93f3-23rq-pjfp Low
npm 5.5.1 6.13.3 GHSA-m6cx-g6qm-p2cx Low
npm 5.5.1 6.13.3 GHSA-x8qc-rrcw-4r46 Low
npm 5.5.1 6.13.4 GHSA-4328-8hgf-7wjr Low
npm-user-validate 1.0.0 1.0.1 GHSA-xgh6-85xh-479p Low
npm-user-validate 1.0.0 CVE-2020-7754 High
rc 1.2.1 CVE-2014-1936 High
slash 1.0.0 CVE-2002-1647 Medium
sshpk 1.13.1 1.13.2 GHSA-2m39-62fm-q8r3 High
sshpk 1.13.1 CVE-2018-3737 High
ssri 4.1.6 5.2.2 GHSA-325j-24f4-qv5x Medium
ssri 4.1.6 CVE-2018-7651 Medium
stringstream 0.0.5 0.0.6 GHSA-mf6x-7mm4-x2g7 Medium
tar 2.2.1 2.2.2 GHSA-j44m-qm6p-hp7m High
tar 2.2.1 CVE-2007-4476 High
tar 4.0.1 4.4.2 GHSA-j44m-qm6p-hp7m High
tar 4.0.1 CVE-2007-4476 High
yargs-parser 7.0.0 13.1.2 GHSA-p9pc-299p-vxgp Low
yargs-parser 7.0.0 CVE-2020-7608 Medium
yarn 1.3.2 1.17.3 GHSA-wqfc-cr59-h64p High
yarn 1.3.2 1.22.0 GHSA-5xf4-f2fq-f69j Medium
yarn 1.3.2 CVE-2019-10773 High
yarn 1.3.2 CVE-2019-5448 High
yarn 1.3.2 CVE-2019-15608 Medium
yarn 1.3.2 CVE-2020-8131 High
A few, notable editor and tar are likely false positives, but the majority are actually present in the node base image, and absent in more recent tags.