You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Trivy currently does not report issues for (NPM) packages compromised with malware, such as those from the recent Shai-Hulud campaigns.
That is probably because while GitHub Security Advisories have been issued for the versions removed from NPM, these are special Malware advisories. You only find them through the search by adding the type:malware to your query. Likewise, the API only returns them when explicitly requesting "type": "malware".
I would have expected Trivy to identify the compromised versions when scanning anything including NPM dependencies (filesystem, SBOM, etc.).
Some might argue that malware infections should not be part of vulnerability scam, since they are not exploitable vulnerabilities, but rather instances where the compromise has already occurred in the supply chain. But ultimately, these dependencies are blatantly insecure. If anything, the risk is higher than that of a vulnerable, but unexploited package.
I'm aware that Aqua does offer malware detection as part of its commercial offering, even though I couldn't find any details on its capabilities. But this is not about advanced detection of unknown malware. It is just about including the full information that is already available from advisories.
kind/featureCategorizes issue or PR as related to a new feature.scan/vulnerabilityIssues relating to vulnerability scanning
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Trivy currently does not report issues for (NPM) packages compromised with malware, such as those from the recent Shai-Hulud campaigns.
That is probably because while GitHub Security Advisories have been issued for the versions removed from NPM, these are special Malware advisories. You only find them through the search by adding the
type:malwareto your query. Likewise, the API only returns them when explicitly requesting"type": "malware".Refer to my blog post for more details: Why Scanners Fail in Practice: Lessons from the Shai-Hulud Attacks on NPM
I would have expected Trivy to identify the compromised versions when scanning anything including NPM dependencies (filesystem, SBOM, etc.).
Some might argue that malware infections should not be part of vulnerability scam, since they are not exploitable vulnerabilities, but rather instances where the compromise has already occurred in the supply chain. But ultimately, these dependencies are blatantly insecure. If anything, the risk is higher than that of a vulnerable, but unexploited package.
I'm aware that Aqua does offer malware detection as part of its commercial offering, even though I couldn't find any details on its capabilities. But this is not about advanced detection of unknown malware. It is just about including the full information that is already available from advisories.
Target
SBOM
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions