Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
  • Guest, before posting your code please take these rules into consideration:
    • It is required to use our BBCode feature to display your code. While within the editor click < / > or >_ and place your code within the BB Code prompt. This helps others with finding a solution by making it easier to read and easier to copy.
    • You can also use markdown to share your code. When using markdown your code will be automatically converted to BBCode. For help with markdown check out the markdown guide.
    • Don't share a wall of code. All we want is the problem area, the code related to your issue.


    To learn more about how to use our BBCode feature, please click here.

    Thank you, Code Forum.

Dockerhub unable to scan NODEJS compiled/binary code for vulnerabilities?

mozzy

Coder
Hey Everyone,

I have a nodejs app that I put into a docker image and upload to docker hub. I noticed that depending on how I package the code, dockerhub can or can not scan for vulnerabilities. For example, let's say I use this dockerfile to make my docker image.

Code:
FROM node:20-alpine

WORKDIR /api

COPY ./package*.json ./

RUN mkdir ./src
COPY ./src/ ./src/

RUN npm install
# this line makes a binary executable file called run-app
RUN ./node_modules/.bin/pkg ./src/entry.js -o run-app --targets node18-alpine-x64
RUN rm -rf /api/src
RUN rm -rf /api/node_modules
RUN rm -rf /api/package*.json
ENTRYPOINT [ "echo", "'API - binary complete'" ]
I can make an image called my-app and then type the terminal command docker push my-company/my-app. Dockerhub will receive this image and it will say 0 vulnerabilities found.

But if I comment out the final 3 RUN ... lines like this:

Code:
...etc...
# this line makes a binary executable file called run-app
RUN ./node_modules/.bin/pkg ./src/entry.js -o run-app --targets node18-alpine-x64
#RUN rm -rf /api/src
#RUN rm -rf /api/node_modules
#RUN rm -rf /api/package*.json
ENTRYPOINT [ "echo", "'API - binary complete'" ]

Then make the image and do the docker push my-company/my-app, then all of a sudden Dockerhub will receive this image and it will say 20 vulnerabilities found.

Based on these outcomes, which one of these statements is true?
a) When only run-app exists in the image, Dockerhub is absolutely correct in stating there are 0 vulnerabilities. This is because vulnerabilities only exist in /api/<src|modules|package.json>. That act of compiling a binary removes all security vulnerabilities.
b) Vulnerabilities do exist in run-app but Dockerhub does not have the ability to realize this because [_______ something something something _____]
c) Other?

I welcome any extra insight into the matter because I am completely new to docker and computer coding.
 
Hey Everyone,

I have a nodejs app that I put into a docker image and upload to docker hub. I noticed that depending on how I package the code, dockerhub can or can not scan for vulnerabilities. For example, let's say I use this dockerfile to make my docker image.

Code:
FROM node:20-alpine

WORKDIR /api

COPY ./package*.json ./

RUN mkdir ./src
COPY ./src/ ./src/

RUN npm install
# this line makes a binary executable file called run-app
RUN ./node_modules/.bin/pkg ./src/entry.js -o run-app --targets node18-alpine-x64
RUN rm -rf /api/src
RUN rm -rf /api/node_modules
RUN rm -rf /api/package*.json
ENTRYPOINT [ "echo", "'API - binary complete'" ]
I can make an image called my-app and then type the terminal command docker push my-company/my-app. Dockerhub will receive this image and it will say 0 vulnerabilities found.

But if I comment out the final 3 RUN ... lines like this:

Code:
...etc...
# this line makes a binary executable file called run-app
RUN ./node_modules/.bin/pkg ./src/entry.js -o run-app --targets node18-alpine-x64
#RUN rm -rf /api/src
#RUN rm -rf /api/node_modules
#RUN rm -rf /api/package*.json
ENTRYPOINT [ "echo", "'API - binary complete'" ]

Then make the image and do the docker push my-company/my-app, then all of a sudden Dockerhub will receive this image and it will say 20 vulnerabilities found.

Based on these outcomes, which one of these statements is true?
a) When only run-app exists in the image, Dockerhub is absolutely correct in stating there are 0 vulnerabilities. This is because vulnerabilities only exist in /api/<src|modules|package.json>. That act of compiling a binary removes all security vulnerabilities.
b) Vulnerabilities do exist in run-app but Dockerhub does not have the ability to realize this because [_______ something something something _____]
c) Other?

I welcome any extra insight into the matter because I am completely new to docker and computer coding.
Hi there,

From experience, I can definitely tell you that it is because something is missing ;)
So let's take a look at your test here. I say that when you run it normally it will state that 0 vulnerabilities have been found... but when you comment out those remove commands, it says that there's 20 vulnerabilities...

Would you say that, for the sake of argument, that it may be a possibility that the scans are dependent on those items you were removing? ;)
 
Hi there,

From experience, I can definitely tell you that it is because something is missing ;)
So let's take a look at your test here. I say that when you run it normally it will state that 0 vulnerabilities have been found... but when you comment out those remove commands, it says that there's 20 vulnerabilities...

Would you say that, for the sake of argument, that it may be a possibility that the scans are dependent on those items you were removing? ;)
Hehe, i just want to make sure I'm not losing my mind!!!!!
 

New Threads

Latest posts

Buy us a coffee!

Back
Top Bottom