profile
viewpoint

evan361425/flutter-pos-system 6

開源的 Flutter 應用程式,希望和使用者一起建立一個好用的 POS 系統(點餐系統)。

104corp/xray-laravel 1

AWS X-Ray tracing for Laravel apps

evan361425/ts-jose 1

Wrap functions of JOSE in steady interface

evan361425/consul-template 0

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.

evan361425/ddia-references 0

Literature references for “Designing Data-Intensive Applications”

evan361425/distributed-node 0

關於分散式系統的練習,和一些 Node.js 的實作。

evan361425/evan361425.github.io 0

我的資料整理處

evan361425/flutter 0

Flutter makes it easy and fast to build beautiful apps for mobile and beyond

evan361425/flutter-simple-tip 0

A widget for showing tips to it's child that automatically setup position

evan361425/flutter_image_cropper 0

A Flutter plugin for Android and iOS supports cropping images

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha b869dbc94c23576fc1ff5d383e3b9ecf6356fc98

Add consistency level

view details

push time in 11 hours

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha dc3f48d1298f02f46feb4bd0b7e4b67d9315ceef

Add consistency linear image

view details

push time in a day

startedKurtBestor/Hitomi-Downloader

started time in 2 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 704b5e621c6e5b409b668479a322143a3a3363d5

Fix typo

view details

push time in 2 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 8d2adc190372d3326268c657a35d727d10097b56

Part 1 resolve-race-condition

view details

push time in 2 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 4cd5cd9fa78ebe82ca0a9338e681ac6f4fe80f43

Use ddia image

view details

push time in 4 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 5940b2c4e1818e4ede7a3bf9f2a627b6f66b87c1

Update encoding-evolution.md

view details

push time in 5 days

issue closedaquasecurity/trivy

Shows vulnerable package path in debug mode

In issue #1572 it is hard to tell which package is vulnerable. Maybe we can tell it in -debug mode?

closed time in 6 days

evan361425

issue commentaquasecurity/trivy

Shows vulnerable package path in debug mode

@knqyf263 OK!

evan361425

comment created time in 6 days

issue closedaquasecurity/trivy

False positive detection on Node.js project

Description

I have scanned my application and get the vulnerabilities of Node.js packages, CVE-2021-3807 and CVE-2021-3918.

command:

$ trivy image -severity CRITICAL,HIGH --ignore-unfixed my-app:latest

However, I do check my package-lock.json that using correct versions.

{
  "...": "...",
  "node_modules/ansi-regex": {
      "version": "5.0.1",
      "...": "..."
  },
  "node_modules/json-schema-traverse": {
      "version": "0.4.1",
      "...": "..."
  },
  "...": "..."
}

Also, after go inside the sources in image, there is no package.json nor package-lock.json. I do check the package inside my node_modules, the vulnerable packages are even not existed in there (we used it as dev dependencies). I'm wondering how the Trivy works for checking vulnerabilities?

$ ls -R node_modules | grep json-
json-buffer
./json-buffer:
$ ls -R node_modules | grep ansi-
ansi-styles
./ansi-styles:

What did you expect to happen?

Pass the scan.

What happened instead?

Showing

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

Output of run with -debug:

2022-01-12T13:24:06.040+0800    DEBUG   Severities: CRITICAL,HIGH
2022-01-12T13:24:06.067+0800    DEBUG   cache dir:  /Users/evan.lu/Library/Caches/trivy
2022-01-12T13:24:06.069+0800    DEBUG   DB update was skipped because DB is the latest
2022-01-12T13:24:06.070+0800    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2022-01-12 00:50:18.642889788 +0000 UTC, NextUpdate: 2022-01-12 06:50:18.642889288 +0000 UTC, DownloadedAt: 2022-01-12 03:24:21.17329 +0000 UTC
2022-01-12T13:24:06.072+0800    DEBUG   Vulnerability type:  [os library]
2022-01-12T13:24:06.112+0800    DEBUG   Image ID: sha256:cc0e3039158afa0c18b002b532054065eb9b23e12b9d761d99176b94c5575783
2022-01-12T13:24:06.112+0800    DEBUG   Diff IDs: [sha256:2b83e5699838047f936a3875bcce7fe1b169983bf86785ae7519c5bc488558ae sha256:734cade2a921533ee479614bcccb96425843a63b9ff38394d12310fde3434d32 sha256:e30c49abb9a39e2c61229e9deab8397a7bc66e448bf91969a6710521f83cae1f sha256:e698d99284a561fb8803002e90450c15a2929c11661376ce3d4f10fb0c6547e3 sha256:ddafe2de6d5d534e5d667ed89e8e5462644ea5e3773e047a589aa971f7c34f7a sha256:63df2e85c02be40866070c3b325c61e4a21b35fc27e6a6c2630a4cde334c660c sha256:316aa663318c1f8fb1d887a2911b8d492a86dfa2fcf3702a08130a33a735b92a sha256:e9c9d92f354a4b90aad5d8110d8644e675c1579ebfa80a4418360ea2703838c2 sha256:9f666e07363496ee7fc063b4fbb1f422ae1ee89306e85842fbabdadc459c8582 sha256:f411cebd5e817df8ed2680b36c704dd468bc022ac521fb1bfce3cc3b2c412ae0 sha256:f7b8a5e6e194da1bf6b4d61fcdd6fc3de23fc5a78b28bd41bd14b46119771b71]
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:f7b8a5e6e194da1bf6b4d61fcdd6fc3de23fc5a78b28bd41bd14b46119771b71
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:734cade2a921533ee479614bcccb96425843a63b9ff38394d12310fde3434d32
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:ddafe2de6d5d534e5d667ed89e8e5462644ea5e3773e047a589aa971f7c34f7a
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:2b83e5699838047f936a3875bcce7fe1b169983bf86785ae7519c5bc488558ae
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:e30c49abb9a39e2c61229e9deab8397a7bc66e448bf91969a6710521f83cae1f
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:e9c9d92f354a4b90aad5d8110d8644e675c1579ebfa80a4418360ea2703838c2
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:e698d99284a561fb8803002e90450c15a2929c11661376ce3d4f10fb0c6547e3
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:63df2e85c02be40866070c3b325c61e4a21b35fc27e6a6c2630a4cde334c660c
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:316aa663318c1f8fb1d887a2911b8d492a86dfa2fcf3702a08130a33a735b92a
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:f411cebd5e817df8ed2680b36c704dd468bc022ac521fb1bfce3cc3b2c412ae0
2022-01-12T13:24:06.117+0800    DEBUG   Missing diff ID: sha256:9f666e07363496ee7fc063b4fbb1f422ae1ee89306e85842fbabdadc459c8582
2022-01-12T13:24:11.428+0800    DEBUG   Analysis error: go binary parse error: read full: EOF
2022-01-12T13:24:11.431+0800    DEBUG   Analysis error: unable to parse usr/src/app/node_modules/my-private-package/node_modules/jose/dist/browser/package.json: unable to parse package.json
2022-01-12T13:24:11.437+0800    DEBUG   Analysis error: unable to parse usr/src/app/node_modules/my-private-package/node_modules/jose/dist/node/esm/package.json: unable to parse package.json
2022-01-12T13:24:11.596+0800    DEBUG   Analysis error: go binary parse error: read full: EOF
2022-01-12T13:24:11.631+0800    DEBUG   Analysis error: unable to parse usr/src/app/node_modules/jose/dist/browser/package.json: unable to parse package.json
2022-01-12T13:24:11.633+0800    DEBUG   Analysis error: unable to parse usr/src/app/node_modules/jose/dist/node/esm/package.json: unable to parse package.json
2022-01-12T13:24:11.930+0800    INFO    Detected OS: debian
2022-01-12T13:24:11.930+0800    INFO    Detecting Debian vulnerabilities...
2022-01-12T13:24:11.930+0800    DEBUG   debian: os version: 9
2022-01-12T13:24:11.930+0800    DEBUG   debian: the number of packages: 77
2022-01-12T13:24:11.956+0800    INFO    Number of language-specific files: 1
2022-01-12T13:24:11.956+0800    INFO    Detecting node-pkg vulnerabilities...
2022-01-12T13:24:11.956+0800    DEBUG   Detecting library vulnerabilities, type: node-pkg, path: 

my-app:latest (debian 9.13)
===============================
Total: 0 (HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 3 (HIGH: 2, CRITICAL: 1)

--- table of vulnerabilities which has shown above ---

Output of trivy -v:

Version: 0.22.0
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2022-01-12 00:50:18.642889788 +0000 UTC
  NextUpdate: 2022-01-12 06:50:18.642889288 +0000 UTC
  DownloadedAt: 2022-01-12 03:24:21.17329 +0000 UTC

Additional details (base image name, container registry info...):

FROM node:14.18.3 as builder

WORKDIR /server
COPY . .
RUN npm install --ignore-scripts && \
    npm run build && \
    rm -rf ./node_modules && \
    npm install --only=production && \
    curl -s https://gobinaries.com/tj/node-prune | sh && \
    node-prune

FROM node:14.18.3-slim

WORKDIR /usr/src/app
COPY --from=builder /server/dist ./dist
COPY --from=builder /server/node_modules ./node_modules

CMD [ "node", "-r", "dotenv/config", "./dist/index.js" ]

closed time in 6 days

evan361425

issue commentaquasecurity/trivy

False positive detection on Node.js project

Thanks @afdesk

evan361425

comment created time in 6 days

issue commentaquasecurity/trivy

False positive detection on Node.js project

Yes! I can find the vulnerable packages! It is npm's dependencies.

Thank you very much!

evan361425

comment created time in 6 days

issue openedaquasecurity/trivy

Shows vulnerable package path in debug mode

In issue #1572 it is hard to tell which package is vulnerable. Maybe we can tell it in -debug mode?

created time in 6 days

issue commentaquasecurity/trivy

False positive detection on Node.js project

Maybe we can add the feature that shows the vulnerable package paths in -debug mode for more details.

evan361425

comment created time in 6 days

issue openedaquasecurity/trivy

False positive detection on Node.js project

Description

I have scanned my application and get the vulnerabilities of Node.js packages, CVE-2021-3807 and CVE-2021-3918.

command:

$ trivy image -severity CRITICAL,HIGH --ignore-unfixed my-app:latest

However, I do check my package-lock.json that using correct versions.

{
  "...": "...",
  "node_modules/ansi-regex": {
      "version": "5.0.1",
      "...": "..."
  },
  "node_modules/json-schema-traverse": {
      "version": "0.4.1",
      "...": "..."
  },
  "...": "..."
}

Also, after go inside the image, there is no package.json nor package-lock.json inside my sources. I'm wonder how the Trivy works for checking vulnerabilities?

I do check the package inside my node_modules, the vulnerable packages are even not existed in there (we used it as dev dependencies).

What did you expect to happen?

Pass the scan.

What happened instead?

Showing

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

Output of run with -debug:

2022-01-12T12:09:53.846+0800    DEBUG   Severities: CRITICAL,HIGH
2022-01-12T12:09:53.887+0800    DEBUG   cache dir:  /Users/user/Library/Caches/trivy
2022-01-12T12:09:53.887+0800    DEBUG   DB update was skipped because DB is the latest
2022-01-12T12:09:53.888+0800    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2022-01-12 00:50:18.642889788 +0000 UTC, NextUpdate: 2022-01-12 06:50:18.642889288 +0000 UTC, DownloadedAt: 2022-01-12 03:24:21.17329 +0000 UTC
2022-01-12T12:09:53.890+0800    DEBUG   Vulnerability type:  [os library]
2022-01-12T12:09:53.909+0800    DEBUG   Image ID: sha256:cc0e3039158afa0c18b002b532054065eb9b23e12b9d761d99176b94c5575783
2022-01-12T12:09:53.909+0800    DEBUG   Diff IDs: [sha256:2b83e5699838047f936a3875bcce7fe1b169983bf86785ae7519c5bc488558ae sha256:734cade2a921533ee479614bcccb96425843a63b9ff38394d12310fde3434d32 sha256:e30c49abb9a39e2c61229e9deab8397a7bc66e448bf91969a6710521f83cae1f sha256:e698d99284a561fb8803002e90450c15a2929c11661376ce3d4f10fb0c6547e3 sha256:ddafe2de6d5d534e5d667ed89e8e5462644ea5e3773e047a589aa971f7c34f7a sha256:63df2e85c02be40866070c3b325c61e4a21b35fc27e6a6c2630a4cde334c660c sha256:316aa663318c1f8fb1d887a2911b8d492a86dfa2fcf3702a08130a33a735b92a sha256:e9c9d92f354a4b90aad5d8110d8644e675c1579ebfa80a4418360ea2703838c2 sha256:9f666e07363496ee7fc063b4fbb1f422ae1ee89306e85842fbabdadc459c8582 sha256:f411cebd5e817df8ed2680b36c704dd468bc022ac521fb1bfce3cc3b2c412ae0 sha256:f7b8a5e6e194da1bf6b4d61fcdd6fc3de23fc5a78b28bd41bd14b46119771b71]
2022-01-12T12:09:53.921+0800    INFO    Detected OS: debian
2022-01-12T12:09:53.921+0800    INFO    Detecting Debian vulnerabilities...
2022-01-12T12:09:53.921+0800    DEBUG   debian: os version: 9
2022-01-12T12:09:53.921+0800    DEBUG   debian: the number of packages: 77
2022-01-12T12:09:53.939+0800    INFO    Number of language-specific files: 1
2022-01-12T12:09:53.939+0800    INFO    Detecting node-pkg vulnerabilities...
2022-01-12T12:09:53.939+0800    DEBUG   Detecting library vulnerabilities, type: node-pkg, path: 

my-app:latest (debian 9.13)
===============================
Total: 0 (HIGH: 0, CRITICAL: 0)


Node.js (node-pkg)
==================
Total: 3 (HIGH: 2, CRITICAL: 1)

--- table of vulnerability ---

Output of trivy -v:

Version: 0.21.3
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2022-01-12 00:50:18.642889788 +0000 UTC
  NextUpdate: 2022-01-12 06:50:18.642889288 +0000 UTC
  DownloadedAt: 2022-01-12 03:24:21.17329 +0000 UTC

Additional details (base image name, container registry info...):

FROM node:14.18.3 as builder

# ...

FROM node:14.18.3-slim

COPY --from=builder /server/dist ./dist
COPY --from=builder /server/node_modules ./node_modules

CMD [ "node", "-r", "dotenv/config", "./dist/index.js" ]

created time in 6 days

issue openedevan361425/evan361425.github.io

The Dataflow Model

The Dataflow Model: A Practical Approach to Balancing Correctness, Latency, and Cost in Massive-Scale, Unbounded, Out-of-Order Data Processing

created time in 7 days

issue openedevan361425/flutter-pos-system

點餐頁推出時要先關閉點餐細則

哪個功能不好用

點餐時如果你在設定點餐細則(數量、成分等等)按上一頁會跳出點餐頁,應該要單純關閉細則即可。

使用 WillPopScope

你預期這功能長什麼樣子?

跳出時先關閉細則

任何想要補充的。

No response

開新的 issue 前

  • [X] 我有檢查其他 issue

created time in 11 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 78b9acf7dfc5d1d3e51fef6f19002afb2626d207

Fix encoding-evolution application

view details

push time in 12 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 8979e9bb3651d4f9d4ad308446e3c3ce74825a7d

Fix encoding-evolution

view details

push time in 13 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 3a1a278807582eb5d09b4588ba9a140b3cedef98

Fix encoding-evolution structure

view details

push time in 15 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha 1d6736b2011c931cbd9dc69c972fa864ed228acc

Delete blogs

view details

push time in 19 days

push eventevan361425/evan361425.github.io

Shueh Chou Lu

commit sha ae08ba2667735ae353113f66b756dc2f5b1d6bab

fix analytic-db

view details

push time in 19 days

created tagevan361425/flutter-pos-system

tagv2.4.2

開源的 Flutter 應用程式,希望和使用者一起建立一個好用的 POS 系統(點餐系統)。

created time in 20 days

push eventevan361425/flutter-pos-system

Shueh Chou Lu

commit sha 68bf2c05f1a73312d9781f2a5965fc7587a08f60

Bump pubspec to 20402002

view details

push time in 20 days

push eventevan361425/flutter-pos-system

Shueh Chou Lu

commit sha 513c482085a8e68fabd5ced3aaa16ff7ac9a8ac9

Using 2-dim datatable for surplus

view details

push time in 20 days

push eventevan361425/flutter-pos-system

Shueh Chou Lu

commit sha 4dd6dd9feaad0a17b31016e24605f58400b65587

Seperate rc and release workflow

view details

push time in 20 days

push eventevan361425/flutter-pos-system

Shueh Chou Lu

commit sha 97524bd9f9b202ba8d8d46a681a19c9474f054c3

Seperate rc and release workflow

view details

push time in 20 days

created tagevan361425/playground-github-action

tagv1.0.1

Play with GitHub action

created time in 20 days

push eventevan361425/playground-github-action

Shueh Chou Lu

commit sha 2b986ac427dad1d8d24db3b43ea7894994448d94

Add 1.0.1 text

view details

push time in 20 days

created tagevan361425/playground-github-action

tagv1.0.0-rc1

Play with GitHub action

created time in 20 days

more