CVE-2023-4863 is not detected in Sharp NPM package

[saars-orca]

Description

When creating an NPM project and installing any version of Sharp smaller than 0.32.6(I used 0.31.0), Trivy does not seem to show the CVE-2023-4863 that Sharp < 0.32.6 is vulnerable to.

Sharp does not list libwebp as a direct dependency, instead, they rely on libvips(which is an external package that is not installed by NPM).
lovell/sharp#3798
This might be why it is not detected right now.

This was their "fix" for the security vulnerability:
lovell/sharp@dbce6fa
They ask npm/yarn to verify the existing libvips version installed in the environment(sharp does not list libvips as an actual requirement). They also verify in their code during the compilation process that you have libvips version 8.14.5+ installed

Desired Behavior

Sharp should be flagged for having a security vulnerability in versions < 0.32.6 and list the CVE-2023-4863 vulnerability.

Actual Behavior

No vulnerabilities are detected.

Reproduction Steps

1. npm init
2. cd into the new project
2. npm install [email protected]
3. docker run -it -v $PWD:/path aquasec/trivy fs --scanners vuln,secret,config /path --debug

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

docker run -it -v $PWD:/path aquasec/trivy fs --scanners vuln,secret,config /path

2023-11-05T10:10:23.895Z	INFO	Need to update DB
2023-11-05T10:10:23.895Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-05T10:10:23.895Z	INFO	Downloading DB...
40.58 MiB / 40.58 MiB [---------------------------------------------------------------------------------------------------------] 100.00% 19.85 MiB p/s 2.2s
2023-11-05T10:10:27.251Z	INFO	Vulnerability scanning is enabled
2023-11-05T10:10:27.251Z	INFO	Misconfiguration scanning is enabled
2023-11-05T10:10:27.251Z	INFO	Need to update the built-in policies
2023-11-05T10:10:27.251Z	INFO	Downloading the built-in policies...
44.66 KiB / 44.66 KiB [----------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2023-11-05T10:10:28.409Z	INFO	Secret scanning is enabled
2023-11-05T10:10:28.409Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-05T10:10:28.409Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-05T10:10:28.537Z	INFO	Number of language-specific files: 1
2023-11-05T10:10:28.537Z	INFO	Detecting npm vulnerabilities...
2023-11-05T10:10:28.538Z	INFO	Detected config files: 0
[devenv3] ~/D/sharp-test ❯❯❯ docker run -it -v $PWD:/path aquasec/trivy fs --scanners vuln,secret,config /path --debug
2023-11-05T10:11:51.357Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-05T10:11:51.357Z	DEBUG	Ignore statuses	{"statuses": null}
2023-11-05T10:11:51.361Z	DEBUG	cache dir:  /root/.cache/trivy
2023-11-05T10:11:51.361Z	DEBUG	There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2023-11-05T10:11:51.361Z	INFO	Need to update DB
2023-11-05T10:11:51.361Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-05T10:11:51.361Z	INFO	Downloading DB...
2023-11-05T10:11:51.361Z	DEBUG	no metadata file
40.58 MiB / 40.58 MiB [---------------------------------------------------------------------------------------------------------] 100.00% 19.55 MiB p/s 2.3s
2023-11-05T10:11:54.709Z	DEBUG	Updating database metadata...
2023-11-05T10:11:54.709Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-11-05 06:10:27.60440566 +0000 UTC, NextUpdate: 2023-11-05 12:10:27.6044055 +0000 UTC, DownloadedAt: 2023-11-05 10:11:54.709405043 +0000 UTC
2023-11-05T10:11:54.709Z	INFO	Vulnerability scanning is enabled
2023-11-05T10:11:54.709Z	DEBUG	Vulnerability type:  [os library]
2023-11-05T10:11:54.709Z	INFO	Misconfiguration scanning is enabled
2023-11-05T10:11:54.709Z	DEBUG	Failed to open the policy metadata: open /root/.cache/trivy/policy/metadata.json: no such file or directory
2023-11-05T10:11:54.709Z	INFO	Need to update the built-in policies
2023-11-05T10:11:54.709Z	INFO	Downloading the built-in policies...
2023-11-05T10:11:54.709Z	DEBUG	Using URL: ghcr.io/aquasecurity/defsec:0 to load policy bundle
44.66 KiB / 44.66 KiB [----------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 100ms
2023-11-05T10:11:55.864Z	DEBUG	Digest of the built-in policies: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
2023-11-05T10:11:55.864Z	DEBUG	Policies successfully loaded from disk
2023-11-05T10:11:55.864Z	INFO	Secret scanning is enabled
2023-11-05T10:11:55.865Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-05T10:11:55.865Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-05T10:11:55.865Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-11-05T10:11:55.879Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-11-05T10:11:55.882Z	DEBUG	Walk the file tree rooted at '/path' in parallel
2023-11-05T10:11:56.129Z	DEBUG	OS is not detected.
2023-11-05T10:11:56.129Z	DEBUG	Detected OS: unknown
2023-11-05T10:11:56.129Z	INFO	Number of language-specific files: 1
2023-11-05T10:11:56.129Z	INFO	Detecting npm vulnerabilities...
2023-11-05T10:11:56.129Z	DEBUG	Detecting library vulnerabilities, type: npm, path: package-lock.json
2023-11-05T10:11:56.129Z	INFO	Detected config files: 0

Operating System

macOS 14 Sonoma

Version

Version: 0.46.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @saars-orca
Thanks for your report!

We use Ecosystem Security Working Group and GitHub Advisory Database (npm) databases for nodejs packages - https://aquasecurity.github.io/trivy/v0.47/docs/scanner/vulnerability/#data-sources_1

There appears to be no information in these databases that the Sharp package contains CVE-2023-4863 - GHSA-j7hp-h8jx-5ppr

Please, create PR in GitHub adding Sharp to list of vulnerable packages - https://github.com/advisories/GHSA-j7hp-h8jx-5ppr/improve

Best Regards, Dmitriy