Trivy suggest upgrading to a version that doesn't exist, but exist for a similar dependency

[AXDOOMER]

Description

Hi,

I have a vulnerability that was discovered in my package-lock.json file. A dependency includes lodash.trimend, which makes it a transitive dependency. Trivy suggests I upgrade lodash.trimend to 4.17.21 although this version doesn't exist on NPM. It only exists for lodash.

My dependency (recognizers-text-number) has a fix, but the problem here is more with Trivy suggesting to upgrade to a version of a pacakge that doesn't exist.

Is there a way Trivy could be more specific? At first glance, it looks like a bug in the scanner, but I noticed Snyk has the same issue. From my perspective, it seems to think lodash.trimend and lodash are the same packages. It would be more helpful if Trivy differentiated both packages. What would be even more helpful is if Trivy told me the latest version of recognizers-text-number fixes this vulnerability so that I know the upgrade path.

Advisory: https://avd.aquasec.com/nvd/2020/cve-2020-28500/

Desired Behavior

I should probably be made away that the version to upgrade to is from a different dependency.

Actual Behavior

It suggest a version that doesn't exist for the current dependency.

Reproduction Steps

1. Have a lock file using `recognizers-text-number` where it used `lodash.trimend` directly instead of lodash`.

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

None

Debug Output

None, let me know if needed.

Operating System

Linux

Version

Let me know if needed, will post it soon.

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @AXDOOMER
Thanks for your report.

I asked GitHub team about this advisory - github/advisory-database#2857
Let's wait their answer.

it seems to think lodash.trimend and lodash are the same packages

These are different packages. lodash includes trimend - https://github.com/lodash/lodash/blob/npm/trimend.js
Also in this case lodash has fix for CVE-2020-28500, but lodash.trimend doesn't have this fix (I described this in github/advisory-database#2857).

What would be even more helpful is if Trivy told me the latest version of recognizers-text-number fixes this vulnerability so that I know the upgrade path

Advisory databases don't include all packages that contain vulnerable package.
But Trivy has --dependency-tree flag which will help you see the underlying dependency and find an update for that dependency without the vulnerable package.

Regards, Dmitiriy

[AXDOOMER]

Thanks. --dependency-tree seems very helpful. I no longer will have to figure out the command for each package manager individually.