Latest Debian 12.x fixes not deployed

[MikeMcC399]

Current behavior

Current Cypress Docker images are missing available fixes for Debian critical vulnerabilities

• CVE-2024-32002
• CVE-2024-45490
• CVE-2024-45491
• CVE-2024-45492

relating to

• git
• git-man
• libexpat1

Desired behavior

Cypress Docker images should be published with up-to-date available Debian fixes.

Resolved

• cypress/factory:latest
• cypress/base:latest
• cypress/browsers:latest
• cypress/included:latest

Test code to reproduce

trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/base:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/browsers:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/included:latest

Cypress Docker versions

docker run --rm --entrypoint cat cypress/factory:latest /etc/debian_version
docker run --rm --entrypoint cat cypress/base:latest /etc/debian_version
docker run --rm --entrypoint cat cypress/browsers:latest /etc/debian_version
docker run --rm --entrypoint cat cypress/included:latest /etc/debian_version

Image	Debian	Published	Version
cypress/factory	12.7	Sep 10, 2024	4.2.0
cypress/base	12.6	Aug 26, 2024	20.17.0
cypress/browsers	12.7	Sep 25, 2024	node-20.17.0-chrome-129.0.6668.70-1-ff-130.0.1-edge-129.0.2792.52-1
cypress/included	12.7	Sep 25, 2024	13.15.0

Debug Logs

cypress/factory:latest (debian 12.7)

Total: 5 (CRITICAL: 5)

┌───────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version    │                            Title                            │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ git       │ CVE-2024-32002 │ CRITICAL │ fixed  │ 1:2.39.2-1.1      │ 1:2.39.5-0+deb12u1 │ git: Recursive clones RCE                                   │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-32002                  │
├───────────┤                │          │        │                   │                    │                                                             │
│ git-man   │                │          │        │                   │                    │                                                             │
│           │                │          │        │                   │                    │                                                             │
├───────────┼────────────────┤          │        ├───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat1 │ CVE-2024-45490 │          │        │ 2.5.0-1           │ 2.5.0-1+deb12u1    │ libexpat: Negative Length Parsing Vulnerability in libexpat │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45490                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45491 │          │        │                   │                    │ libexpat: Integer Overflow or Wraparound                    │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45491                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45492 │          │        │                   │                    │ libexpat: integer overflow                                  │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45492                  │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────┴─────────────────────────────────────────────────────────────┘

Other

[MikeMcC399]

• PR fix(deps): rebuild factory with latest debian fixes #1218 fixes this issue for cypress/factory

[MikeMcC399]

cypress/factory:latest (cypress/factory:4.2.1) is now resolved

$ trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory:latest
2024-09-30T18:06:37+02:00       INFO    [vuln] Vulnerability scanning is enabled
2024-09-30T18:07:03+02:00       INFO    Detected OS     family="debian" version="12.7"
2024-09-30T18:07:03+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=283
2024-09-30T18:07:03+02:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.

cypress/factory:latest (debian 12.7)

Total: 0 (CRITICAL: 0)

[MikeMcC399]

Re-opening as this issue is only partially fixed

Image	PR	Status
cypress/factory:latest	#1218	Fixed
cypress/base:latest	#1224	Open
cypress/browsers:latest	#1224	Open
cypress/included:latest	#1224	Open

cypress/base:latest should be fixable later this week if Node.js goes ahead with their plan to release Node.js v20.18.0, which will allow a rebuild of cypress/base.

According to published policy, Cypress Docker images are frozen after publication, so the contents of cypress/base:20.17.0 cannot be replaced, and a replacement can only be carried out by publishing a separate image for a later version of Node.js.

[MikeMcC399]

Re-run of failed job in https://app.circleci.com/pipelines/github/cypress-io/cypress-docker-images?branch=master needed.

• See also fix(deps): update to node.js 20.18.0 #1224 (comment)