Share via

How do you find Microsoft Defender for Cloud node/npm security vulnerabilities in a docker image?

Matt O'Connor 1 Reputation point
2022-09-15T16:03:35.167+00:00

I have a Ubuntu docker image that uses azure-powershell as a base image, which I then install node and npm onto along with some Playwright dependencies. I'm not installing or running any code.

Microsoft Defender for Cloud is flagging up the following vulnerability when I push my image to Azure Container Registry 

Nodejs (npm) Security Update for brace-expansion (GHSA-832h-xg76-4gv6)

How can I find out where this and other packages like it are installed and find out the versions?

Dockerfile for reference 

# Copyright (c) Microsoft Corporation.  
# Licensed under the MIT License.  
  
# Docker image file that describes an Ubuntu20.04 image with PowerShell installed from Microsoft APT Repo  
FROM mcr.microsoft.com/azure-powershell:ubuntu-18.04  
  
ENV DEBIAN_FRONTEND=noninteractive  
RUN echo "APT::Get::Assume-Yes \"true\";" > /etc/apt/apt.conf.d/90assumeyes  
  
# === INSTALL Node.js ===  
  
RUN apt-get update && \  
  apt-get install -y \  
  ca-certificates \  
  curl \  
  jq \  
  git \  
  iputils-ping \  
  libcurl4 \  
  libicu60 \  
  libunwind8 \  
  netcat \  
  libssl1.0 \  
  wget && \  
  # clean apt cache  
  rm -rf /var/lib/apt/lists/* && \  
  # Create the pwuser  
  adduser pwuser  
  
RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash  
RUN apt-get install nodejs \  
  && node -v \  
  && npm -v  
  
RUN npm install -g npm@7.21.1 && npm -v  
  
# === INSTALL Playwright ===  
  
ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright  
  
# The version of Playwright should be pinned to the same corresponding version in the 'package.json' within 'tribal.edge.ui'  
RUN mkdir /ms-playwright && \  
  npx playwright@1.25.2 install --with-deps && rm -rf /var/lib/apt/lists/* && \  
  chmod -R 777 /ms-playwright
Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
511 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 38,021 Reputation points Microsoft Employee Moderator
    2022-09-15T21:28:42.063+00:00

    @Matt O'Connor
    I used the same base container image and followed the steps outlined in your docker file. It appears that brace-expansion is installed by default with npm. However, the version I am seeing is 1.1.11. Which shouldn't be vulnerable, according to https://github.com/advisories/GHSA-832h-xg76-4gv6

    Maybe you could try installing the brace-expansion or upgrading it with npm? If you connect with the container you should be able to locate it using the below command: 

    find ./ -name "*brace*"

    You can then check the version: 

    head -n 5 ./usr/lib/node_modules/npm/node_modules/brace-expansion/package.json

    Hope this helps. Let me know what you are seeing and if you are still facing this error.

    -------------------------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.