qngo
September 6, 2024, 12:48pm
1
Hi,
I got a report from XRay scanner in JFrog that the base image of discourse version 2.0.20240904-0335 contains malicious code in three packages
dialog-holder:1.0.0
float-kit:1.0.0
custom-proxy:1.0.0
Then I did a little research also found the three packages with the same name and version reported on https://vulert.com
(I will add this in the comment as I cannot post more than 2 links in the post)
Have you faced the same issues before? Are these findings from Discourse or other packages as I cannot find any reported packages on npm.js?
Many thanks
qngo
September 6, 2024, 12:49pm
2
qngo
September 6, 2024, 12:50pm
3
qngo
September 6, 2024, 12:50pm
4
jrack
December 13, 2024, 12:28pm
5
We had seen something similar with JFrog. This looks to be an ambiguous name for an unscoped package and not an actual issue.
Discourse does have a package in their repo called float-kit but that has nothing to do with the float-kit on npmjs. The others are basically the same.
Ideally even these local packages would be scoped, but they are referenced from workspace so the 1.0.0 it is pulling is from its own repo.
There is no provenance push that I have seen and JFrog just looks at names and versions in many cases so it should fall into your false positive handling process with the control.
