nodejs@16.18.1-deb-1nodesource1 package contains security issues

### Version

v16.18.1

### Platform

Linux 31c25ca4ff57 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

### Subsystem

_No response_

### What steps will reproduce the bug?

We have found these security issues while scanning containers using snyk tool:

`snyk container test <our_ubuntu22:04_based_container> --policy-path=.snyk  --severity-threshold=high`

```
Testing <our_ubuntu22:04_based_container>...

✗ High severity vulnerability found in nodejs
  Description: Loop with Unreachable Exit Condition ('Infinite Loop')
  Info: https://snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2775540
  Introduced through: nodejs@16.18.1-deb-1nodesource1
  From: nodejs@16.18.1-deb-1nodesource1
  Image layer: 'apt-get install -y nodejs'

✗ High severity vulnerability found in nodejs
  Description: NULL Pointer Dereference
  Info: https://snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2782481
  Introduced through: nodejs@16.18.1-deb-1nodesource1
  From: nodejs@16.18.1-deb-1nodesource1
  Image layer: 'apt-get install -y nodejs'



Organization:      myorg
Package manager:   deb
Project name:      docker-image|<our_ubuntu22:04_based_container>
Docker image:      <our_ubuntu22:04_based_container>
Platform:          linux/amd64
Base image:        ubuntu:22.04
Local Snyk policy: found
Licenses:          enabled

Tested 264 dependencies for known issues, found 2 issues.

According to our scan, you are currently using the most secure version of the selected base image

Learn more: https://docs.snyk.io/products/snyk-container/getting-around-the-snyk-container-ui/base-image-detection
```

That's because we use latest `ubuntu` container as base, and then we install nodejs using:

```
RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
    && apt-get install -y nodejs
```

### How often does it reproduce? Is there a required condition?

Every time we scan the container using snyk.

### What is the expected behavior?

After we run snyk container test command, the nodejs package should not contain any security issue.

### What do you see instead?

See output above.

### Additional information

There is no updated deb package for that version of nodejs, so we can't install a patched version of it.
Please see the available deb versions [here](https://www.ubuntuupdates.org/ppa/node_16.x?dist=focal)

https://security.snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2782481
https://security.snyk.io/vuln/SNYK-UBUNTU2204-NODEJS-2775540

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[email protected] package contains security issues #45499

Version

Platform

Subsystem

What steps will reproduce the bug?

How often does it reproduce? Is there a required condition?

What is the expected behavior?

What do you see instead?

Additional information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[email protected] package contains security issues #45499

Description

Version

Platform

Subsystem

What steps will reproduce the bug?

How often does it reproduce? Is there a required condition?

What is the expected behavior?

What do you see instead?

Additional information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions