How to fix cross-spawn (package.json) vulnerability

[nikunjworld]

Question

We have travy enabled on node js project, it is reporting cross-spawn CVE-2024-21538 from version: 7.0.3. Since it is not directly used in package.json however it is indirectly reported from Jest lib which has dependency on execa, so reported vulnerability is from execa lib. So I wanted to know how can I fix it as it is an indirect dependency. Although I added overrides section in package.json as advised from online. But travy is still reporting it, please let me know how to fix it.

"overrides": { "execa":"7.0.0" },

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

None

Operating System

family="alpine" version="3.20.3"

Version

aquasec/trivy:latest

[DmitriyLewen]

Hello @nikunjworld
Thanks for your interest to Trivy!

Did you run npm update to update package-lock.json file?

[nikunjworld]

Hi Dmitry,

Thanks for your response, trivy reported the error after pushing my changes to the gitlab pipeline. So do you mean to add the npm update command in the gitlab deployment step?

[DmitriyLewen]

Can you send more information about using Trivy and your repository?

Trivy scans package-lock.json files in repo mode.
If you use overrides - you need to update package-lock.json file after updating package.json file.

If your package-lock.json file already contains the correct version - please send me that file (or another test file with this error) for investigation.

[nikunjworld]

Following is the screenshot of package-lock.json file with "overrides": {
"execa":"6.0.0"
}

In above screenshot you notice that cross-spawn version is 7.0.3 which is not changing even if I override execa with latest version and trivy is reporting this 7.0.3 from cross-spawn with vulnerability.

Another fact is I installed trivy extension locally on vs code, when I ran trivy scan locally it is not reporting this vulnerability.

Below is my gitlab pipeline step to execute trivy. Which might help. Also note that I am not using execa or cross-spawn directly but since I am using jest lib it is reporting from that lib, jest version : "jest": "29.7.0"

trivy_scan_qa:
  stage: trivy_scan_qa
  image:
    name: aquasec/trivy:latest
    entrypoint: [""]
  # needs: 
  #   - sonar_analysis
  script:
    # - export IMAGE_TAG_QA="scan-$CI_COMMIT_SHORT_SHA" 
    - IMAGE_TAG_QA="qa-$CI_COMMIT_SHORT_SHA"
    - sudo docker build -t $IMAGE_TAG_QA -f dockerfiles/qa/Dockerfile .
    - docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:latest image --severity CRITICAL,HIGH --exit-code 1 --scanners vuln $IMAGE_TAG_QA:latest
#    - trivy image --severity CRITICAL,HIGH --exit-code 1 --scanners vuln $IMAGE_TAG_QA:latest
  only:
    - /^(qa)+-?.*$/  
  except:
    - branches
  allow_failure: true

gitlab pipeline screenshot:

[DmitriyLewen]

target is important for Trivy - https://trivy.dev/latest/docs/coverage/language/#supported-languages

for repo/fs modes Trivy checks package-lock.json files.
For image/rootfs modes Trivy checks package.json files.

---

Scan your image with -f json --list-all-pkgs flags and check FilePath field. Perhaps your image contains package.json file with [email protected] in another place.

[rajurajamohan]

Seems this is an issue from node_modules/execa package as it never updates the cross-spawn version. Always has the same version ^7.0.3 since its releases from execa:5.1.1 till latest execa:9.5.2.

It cannot be updated using it's parent package version upgrade as it is transitive dependent package to execa.
Should find a way to upgrade the execa/cross-spawn package version to 7.0.5 or above.

Tried with below: Still no luck!

"overrides": { "execa": { ".": "^7.2.0", "cross-spawn": "^7.0.5" } }

[DmitriyLewen]

"overrides": { "execa": { ".": "^7.2.0", "cross-spawn": "^7.0.5" } }

It works correctly, but perhaps you need to use npm update to update package-lock.json and package.json files from node_modules.

example:

root@723f0a7c4baf:/app# cat package.json 
{
  "name": "app",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "dependencies": {
    "jest": "^29.7.0"
  }
}
root@723f0a7c4baf:/app# npm ls --all | grep execa -A 1
  | | +-- [email protected]
  | | | +-- [email protected]
root@723f0a7c4baf:/app# grep -Er '"name": "execa",|"name": "cross-spawn",' -A 1
node_modules/cross-spawn/package.json:  "name": "cross-spawn",
node_modules/cross-spawn/package.json-  "version": "7.0.6",
--
node_modules/execa/package.json:	"name": "execa",
node_modules/execa/package.json-	"version": "5.1.1",
root@723f0a7c4baf:/app# cat package-lock.json | grep -E 'node_modules/execa|node_modules/cross-spawn' -A 1
    "node_modules/cross-spawn": {
      "version": "7.0.6",
--
    "node_modules/execa": {
      "version": "5.1.1",

## changed package.json file

root@723f0a7c4baf:/app# cat package.json 
{
  "name": "app",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "dependencies": {
    "jest": "^29.7.0"
  },
  "overrides": { 
    "execa": { 
      ".": "^7.2.0", 
      "cross-spawn": "^7.0.5" 
    } 
  }
}
root@723f0a7c4baf:/app# cat package-lock.json | grep -E 'node_modules/execa|node_modules/cross-spawn' -A 1
    "node_modules/cross-spawn": {
      "version": "7.0.6",
--
    "node_modules/execa": {
      "version": "5.1.1",
root@723f0a7c4baf:/app# grep -Er '"name": "execa",|"name": "cross-spawn",' -A 1
node_modules/cross-spawn/package.json:  "name": "cross-spawn",
node_modules/cross-spawn/package.json-  "version": "7.0.6",
--
node_modules/execa/package.json:	"name": "execa",
node_modules/execa/package.json-	"version": "5.1.1",

root@723f0a7c4baf:/app# npm update

added 1 package, changed 7 packages, and audited 268 packages in 1s

36 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
root@723f0a7c4baf:/app# cat package-lock.json | grep -E 'node_modules/execa|node_modules/cross-spawn' -A 1
    "node_modules/cross-spawn": {
      "version": "7.0.6",
--
    "node_modules/execa": {
      "version": "7.2.0",
root@723f0a7c4baf:/app# grep -Er '"name": "execa",|"name": "cross-spawn",' -A 1
node_modules/cross-spawn/package.json:  "name": "cross-spawn",
node_modules/cross-spawn/package.json-  "version": "7.0.6",
--
node_modules/execa/package.json:	"name": "execa",
node_modules/execa/package.json-	"version": "7.2.0",