Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

code version instead of code-server version stored in package.json file causing false positive Critical CVE detection #7071

Open
2 tasks done
mirekphd opened this issue Nov 8, 2024 · 3 comments
Labels
bug Something isn't working triage This issue needs to be triaged by a maintainer

Comments

@mirekphd
Copy link

mirekphd commented Nov 8, 2024

Is there an existing issue for this?

  • I have searched the existing issues

OS/Web Information

Local, remote OS: Ubuntu 22.04
Remote Architecture: amd64

$ code-server --version
4.95.1 344df3875fee5979b5fda0c6bf00778d0ef1be48 with Code 1.95.1

Steps to Reproduce

  1. Having installed latest code-server check its version using two methods:

a) the --version switch:

$ code-server --version
4.95.1 344df3875fee5979b5fda0c6bf00778d0ef1be48 with Code 1.95.1

versus:

b) the version stored in package.json:

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "1.95.1",
  "private": true,
  "dependencies": {
    "@microsoft/1ds-core-js": "^3.2.13",
    "@microsoft/1ds-post-js": "^3.2.13",
    "@parcel/watcher": "2.1.0",
    "@vscode/deviceid": "^0.1.1",
    "@vscode/iconv-lite-umd": "0.7.0",
    "@vscode/proxy-agent": "^0.22.0",
    "@vscode/ripgrep": "^1.15.9",
    "@vscode/spdlog": "^0.15.0",
    "@vscode/tree-sitter-wasm": "^0.0.4",
    "@vscode/vscode-languagedetection": "1.0.21",
    "@vscode/windows-process-tree": "^0.6.0",
    "@vscode/windows-registry": "^1.1.0",
    "@xterm/addon-clipboard": "^0.2.0-beta.48",
    "@xterm/addon-image": "^0.9.0-beta.65",
    "@xterm/addon-search": "^0.16.0-beta.65",
    "@xterm/addon-serialize": "^0.14.0-beta.65",
    "@xterm/addon-unicode11": "^0.9.0-beta.65",
    "@xterm/addon-webgl": "^0.19.0-beta.65",
    "@xterm/headless": "^5.6.0-beta.65",
    "@xterm/xterm": "^5.6.0-beta.65",
    "cookie": "^0.7.0",
    "http-proxy-agent": "^7.0.0",
    "https-proxy-agent": "^7.0.2",
    "jschardet": "3.1.4",
    "kerberos": "2.1.1",
    "minimist": "^1.2.6",
    "native-watchdog": "^1.4.1",
    "node-pty": "^1.1.0-beta22",
    "tas-client-umd": "0.2.0",
    "vscode-oniguruma": "1.7.0",
    "vscode-regexpp": "^3.1.0",
    "vscode-textmate": "9.1.0",
    "yauzl": "^3.0.0",
    "yazl": "^2.4.3"
  },
  "overrides": {
    "node-gyp-build": "4.8.1",
    "kerberos@2.1.1": {
      "node-addon-api": "7.1.0"
    },
    "@parcel/watcher@2.1.0": {
      "node-addon-api": "7.1.0"
    }
  },
  "type": "module"
}
  1. Run a vulnerability scanner such as Anchore Grype and see this false positive:
Package                              Version_Installed         Vulnerability_ID     .Severity  Locations_RealPath
 code-server                          1.95.1                    GHSA-frjg-g767-7363  Critical   /usr/lib/code-server/lib/vscode/package.json

Expected

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "4.95.1",
[..]

Actual

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "1.95.1",
[..]

Logs

No response

Screenshot/Video

No response

Does this bug reproduce in native VS Code?

This cannot be tested in native VS Code

Does this bug reproduce in GitHub Codespaces?

Yes, this is also broken in GitHub Codespaces

Are you accessing code-server over a secure context?

  • I am using a secure context.

Notes

No response

@mirekphd mirekphd added bug Something isn't working triage This issue needs to be triaged by a maintainer labels Nov 8, 2024
@code-asher
Copy link
Member

Hmm this is maybe tricky. The version number is accurate because it is meant to be the version of VS Code, which is 1.95.1.

But maybe we should change the name to code-oss or something like that.

@mirekphd
Copy link
Author

mirekphd commented Nov 9, 2024

But maybe we should change the name to code-oss or something like that.

There are two app names and two versions here, so the full info would be two key:value pairs... or at least a matching pair :) Now we have a key from one pair and a value from another...

@code-asher
Copy link
Member

code-asher commented Nov 12, 2024

We have two package.json files, one in the root and one in lib/vscode, the root one is code-server and the lib/vscode one is code-oss, which I think makes sense because architecturally they are implemented as separate applications and are separate codebases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triage This issue needs to be triaged by a maintainer
Projects
None yet
Development

No branches or pull requests

2 participants