Trivy scanner is unable to take the updated version(7.5.2) and still throws error in the build(showing installed version as 7.5.1).
(alpine 3.17.4)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Node.js (node-pkg)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ │ semver (package.json) │ CVE-2022-25883 │ MEDIUM │ 7.5.1 │ 7.5.2 │ semver vulnerable to Regular Expression Denial of Service │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883 │ └───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
Made following changes to override the semver version to bypass the Trivy scanner to accept a fixed version (7.5.2).
Changes were done in package.json
"overrides": { "semver": "^7.5.2" },
and
"resolutions": { "semver": "^7.5.2" },
When I tried to run ‘npm i’ in my local environment and searched for all occurrences of semver in package-lock.json ; Under the packages, "semver": "^7.5.2" version got updated.