Source of project that has been analyzed is here.
docker buildx build -f Dockerfile_classic -t rreszka/pawcho:lab8 --sbom=true --provenance=mode=max --push .
With usage of command provided below, I could find fixed versions of packages, being no longer vulnerable:
docker scout cves --only-severity critical,high rreszka/pawcho:lab8
Here is an example:
To fix this project, package.json has to be updated with safe versions of packages.
Here are differences made to package.json file.
Unfortunately first update of package.json did not cover all vulnerabilities:
Audit provided by npm shows us which packages depend on vulnerable ones:
Here are new differences made to package.json file for more patches.
Now we can see that all critical and high severity CVEs have been fixed!