0

Dockerhub says I have the vulnerabilities: CVE-2023-5363 and CVE-2023-5678, which is part of the openssl package. See this image: enter image description here

Does anyone know how I can resolve this issue? I've simplified my nodejs project to just console.log('hello world'); and I removed all possible npm packages, but I still get this vulnerability. My hello project only consists of 4 files and they are:

~/src/index.js

console.log('hello');

~/package.json

{
  "name": "test",
  "version": "1.0.0",
  "main": "src/index.js",
  "scripts": {},
  "dependencies": {},
  "devDependencies": {}
}

~/docker-compose.yml

version: "3.8"
services:
  api_image:
    image: johndev/api:test2
    build:
      context: ./
      dockerfile: ./make.dockerfile

~/make.dockerfile

FROM node:21-alpine

WORKDIR /api


COPY ./package*.json ./


RUN mkdir ./src
COPY ./src/ ./src/


RUN npm install
ENTRYPOINT [ "echo", "'All Done'" ]

To push an image to dockerhub, I just run these commands:

docker-compose up --build -d;
docker push johndev/api:test2;

What did I do wrong? What in my code is causing the vulnerabilities CVE-2023-5363 and CVE-2023-5678?

learningtech
  • 161
  • 1
  • 8

2 Answers2

1

CVS-2023-5363 and CVE-2023-5678 are both vulnerabilities in OpenSSL. They don't come from any of the code that you wrote. Your base image - node:21-alpine - probably has a vulnerable version of OpenSSL by default. By adding the commands to update installed packages, you are installing a patched version of OpenSSL that no longer contains the vulnerabilities.

Thomas Owens
  • 408
  • 2
  • 8
0

I added this line to my make.dockerfile

RUN apk update && \
    apk upgrade && \
    apk add --no-cache openssl

So now my code looks like:

FROM node:21-alpine

WORKDIR /api
RUN apk update && 

    apk upgrade && 

    apk add --no-cache openssl


COPY ./package*.json ./


RUN mkdir ./src
COPY ./src/ ./src/


RUN npm install
ENTRYPOINT [ "echo", "'All Done'" ]
learningtech
  • 161
  • 1
  • 8