Anchore Go Library - Vulnerabilities

[srisek]

Our org is using the Jammy base builder and base runner with the latest version in my CI tool to perform builds and got the below Critical/High security vulnerabilities identified by the scanning tool for the npm-install build pack.

1. Go Library: github.com/anchore/syft

Impacted Layer : /layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks

CVE-2022-28346
CVE-2022-28347
CVE-2022-34265
CVE-2023-31047
CVE-2021-45115
CVE-2021-45116
CVE-2022-23833
CVE-2022-36359
CVE-2022-41323

The recommended fix is to updated to version github.com/anchore/syft 0.89.0 and could see references of version 0.80.0 in the go dependencies used by the npm-install build pack.

https://github.com/paketo-buildpacks/npm-install/blob/main/go.mod#L33C2-L33C45

Can this be updated to the version – 0.89.0?

2. Go Library: github.com/anchore/stereoscope

Impacted Layer: /layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks
Installed Resource: github.com/anchore/stereoscope 0.0.0-20230412183729-8602f1afc574

CVE-2024-24579

Recommended Fix: Upgrade package github.com/anchore/stereoscope to version 0.0.1 or above.

We did notice that the underlying npm-install buildpack is using 0.0.1 in the dependency, but also getting replaced with version v0.0.0-20230412183729-8602f1afc574

https://github.com/paketo-buildpacks/npm-install/blob/main/go.mod#L159C80-L159C115

Request any guidance or help in getting these addressed with your team’s help.