Unsecure docker file shipped with npm package

Question

Unsecure docker file shipped with npm package

tanepiper opened this issue 8 months ago · 0 comments

Description:

Using Tirvy to scan packages for security vulnerabilities and other issues, this module includes the following Dockerfile:

FROM selenium/node-chrome:latest

USER root

RUN apt-get update -qqy \
  && rm -rf /var/lib/apt/lists/* /var/cache/apt/* \
  && rm /bin/sh && ln -s /bin/bash /bin/sh \
  && chown seluser /usr/local

ENV NVM_DIR /usr/local/nvm
RUN mkdir -p $NVM_DIR \
  && wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.35.2/install.sh | bash \
  && source $NVM_DIR/nvm.sh \
  && nvm install v12

ENV CHROME_BIN /opt/google/chrome/chrome
ENV INSIDE_DOCKER=1

WORKDIR /usr/src
ENTRYPOINT source $NVM_DIR/nvm.sh && npm i && npm test

This triggers the following HIGH severity warnings:

https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/
https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0017/

Can you please add this file to the npm ignore as it does not need to be shipped with this dependency