For a TypeScript project we use pg-promise library and it depends on node-postgres.
For a daily scan we use Blackduck and it detects "High Vulnerability Security Issue" as follows:
2024-01-30 13:20:37 UTC INFO [main] --- Policy rule "High Vulnerability Security Issue" was violated by component "node_postgres:1.1.1" (https://*************************/api/components/004e0535-3fc4-4b69-a943-dfbc61df9517/versions/763e60b6-4bde-4f1e-bcd8-73e84fd18a09).
2024-01-30 13:20:37 UTC INFO [main] --- Policy rule "High Vulnerability Security Issue" has a fatal severity type: Blocker with description: High Vulnerability security issue, with a CVSS score greater than or equal to 7.0
So, at the end because of the security issue it fails the security scan.
Our pg-promise entry in the package.json is
{
"name": "rds-trigger-handler",
"version": "1.0.0",
"description": "",
"main": "index.js",
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"mysql": "^2.18.1",
"pg-promise": "^11.0.0"
}
}
Even though we tried different pg-promise version(^11.5.4, ^11.5.0, ^11.4.3) the error we get did not change. It always says was violated by component "node_postgres:1.1.1". However, the node-postgres has no versioning.
npm why pg:
[email protected]
node_modules/pg
peer pg@">=8.0" from [email protected]
node_modules/pg-pool
pg-pool@"^3.6.1" from [email protected]
pg@"8.11.3" from [email protected]
node_modules/pg-promise
pg-promise@"^11.0.0" from the root project
How can we solve the issue, has anyone had same issue before?