False alibaba-access-key-id detection in pnpm cache for @types/react.json

[DmitriyLewen]

Discussed in #5613

^{Originally posted by vonazt November 20, 2023}

IDs

alibaba-access-key-id

Description

Running trivy v.0.47.0 against built Docker image that includes @types/react v18.2.37 and using pnpm as a package manager returns HIGH: Alibaba (alibaba-access-key-id) in /root/.cache/pnpm/metadata/registry.npmjs.org/@types/react.json. The .json file appears to include the ltai string in two hashes, which appears to have been a previous bug that was fixed: #3065

Reproduction Steps

1.Build a Docker image of an app that includes @types/react v18.2.37 as a depedency
2. Run pnpm install as a stage
3. Run trivy scan on the image
...

Target

Container Image

Scanner

Secret

Target OS

No response

Debug Output

2023-11-20T11:08:56.130Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-20T11:08:56.130Z        DEBUG   Ignore statuses {"statuses": null}
2023-11-20T11:08:56.143Z        DEBUG   cache dir:  /Users/richardtzanov/Library/Caches/trivy
2023-11-20T11:08:56.143Z        DEBUG   DB update was skipped because the local DB is the latest
2023-11-20T11:08:56.143Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-11-20 06:11:57.846216384 +0000 UTC, NextUpdate: 2023-11-20 12:11:57.846216104 +0000 UTC, DownloadedAt: 2023-11-20 09:54:15.155205 +0000 UTC
2023-11-20T11:08:56.143Z        INFO    Vulnerability scanning is enabled
2023-11-20T11:08:56.143Z        DEBUG   Vulnerability type:  [os library]
2023-11-20T11:08:56.143Z        INFO    Secret scanning is enabled
2023-11-20T11:08:56.143Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-20T11:08:56.143Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-11-20T11:08:56.163Z        DEBUG   No secret config detected: trivy-secret.yaml
2023-11-20T11:08:56.163Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-20T11:08:56.163Z        DEBUG   No secret config detected: trivy-secret.yaml
2023-11-20T11:08:56.163Z        DEBUG   Image ID: sha256:297fbbb879eb07804afe084a74ed7bb4c9ac32d16da28f617955ee48b625a3b8
2023-11-20T11:08:56.163Z        DEBUG   Diff IDs: [sha256:d2d9d24a8c2a7ad73a7247738096e24c1ef2c2b02a3690dbf7d63641d26e26cb sha256:3f1c7c41b39a30677d21458683cbe2253278a2aa31ee84c62af19c8cf8129861 sha256:86bea3649136b05cb747e31f5ea1c6609af592f07c3893b748ddd035bfec963a sha256:6df8359c93c75909580030070a4834bc8e72579af9887fafc43c09728b0191be sha256:9004d00826d885ae6ce041f65458a3e39e6652e7f1ca75f4fe7e951601c86c25 sha256:8f5d6bb6025160bebe49b41995ac4c59b7ca8ca299ba50618ea3d13f4b37a270 sha256:d2eae81c3e37e9683982ff9454d78394f3b3256c75e326d61aa1de296d8564f3 sha256:041c7f3ee539e35deae98e8258eb9a765a69355b88fcbf49ee85904e0e4637f2 sha256:3be05c030cae7bd1065ed496d495618df012541879adbeb72a3e546e23b17e66 sha256:bcdf69e24c06f80f06758142f6b4bf8ba56eb6cf59b101c278e392eb834572e0 sha256:7c2c62892594b99678d55ac90e09980299ee491699d95fec6523bcb9de3caa7d sha256:17897498a6cc1dfa9a711188b5bb4b698654eeabd3372bde114c35d1e068de5a sha256:b62384e14ae6eeca65a1f4c5615b9dc2f8f214946d3152a0dc13ba7b2e7fb681 sha256:46d988232b0ae8f2ede3fc8c91e0ece31e0feb80ea6be61b6c8bce9b5aba8d19 sha256:12b13b91592a4472a803c7742a14f597f1c097cdabc709803f39d9da01b2eb19 sha256:4eb99edda7aa7031ba517a70ff6f148d361b78b24e8831834667dd08efaeb2c7 sha256:bcffa07f1b26ae9be2855a83875a1bd5667ad1a6e142511c425c85e19101480f sha256:54c3ef427a6b86d4bee2285de833c2dc4c3874a503e71f4703b366777f05ac28 sha256:16fd0dc6f5e5f3621ee7b0f1d610793ee7c47363cce9faaded8cd687d75447c2 sha256:7d5e9448e15d17030ea79515ff8caaa25cf81fa410e1301beda2655c4eec43d3 sha256:1fc8f4865d050ee08658fd6947e3fd2bfe4c9dea9686c0b9ba5b906efd9802b5 sha256:385764bf6ebda8b80c1fe7f4772586909aaf1047cbaf3c57a49242ba06199085 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2023-11-20T11:08:56.163Z        DEBUG   Base Layers: [sha256:d2d9d24a8c2a7ad73a7247738096e24c1ef2c2b02a3690dbf7d63641d26e26cb sha256:3f1c7c41b39a30677d21458683cbe2253278a2aa31ee84c62af19c8cf8129861 sha256:86bea3649136b05cb747e31f5ea1c6609af592f07c3893b748ddd035bfec963a sha256:6df8359c93c75909580030070a4834bc8e72579af9887fafc43c09728b0191be]
2023-11-20T11:08:56.193Z        INFO    Detected OS: alpine
2023-11-20T11:08:56.193Z        INFO    Detecting Alpine vulnerabilities...
2023-11-20T11:08:56.193Z        DEBUG   alpine: os version: 3.17
2023-11-20T11:08:56.193Z        DEBUG   alpine: package repository: 3.17
2023-11-20T11:08:56.193Z        DEBUG   alpine: the number of packages: 17
2023-11-20T11:08:56.193Z        INFO    Number of language-specific files: 1
2023-11-20T11:08:56.194Z        INFO    Detecting node-pkg vulnerabilities...
2023-11-20T11:08:56.194Z        DEBUG   Detecting library vulnerabilities, type: node-pkg, path: 
2023-11-20T11:08:56.205Z        DEBUG   Secret file: /root/.cache/pnpm/metadata/registry.npmjs.org/@types/react.json

Version

Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-20 06:11:57.846216384 +0000 UTC
  NextUpdate: 2023-11-20 12:11:57.846216104 +0000 UTC
  DownloadedAt: 2023-11-20 09:54:15.155205 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct