Fix false positive CVE alerts by setting package name to code-oss-dev (#7839)
The VS Code build process sets the bundled lib/vscode/package.json name to "code-server" (from product.json nameShort), causing vulnerability scanners to misidentify it and flag non-applicable CVEs. Override the name to "code-oss-dev" in build-release.sh after merging package.json. Fixes #7071 Signed-off-by: ka-ishimoto <ka-ishimoto@kddi.com>
This commit is contained in:
ka-ishimoto
@@ -128,7 +128,9 @@ bundle_vscode() {
|
|||||||
|
|
||||||
# Merge the package.json for the web/remote server so we can include
|
# Merge the package.json for the web/remote server so we can include
|
||||||
# dependencies, since we want to ship this via NPM.
|
# dependencies, since we want to ship this via NPM.
|
||||||
jq --slurp '.[0] * .[1]' \
|
# Also override the name to prevent vulnerability scanners from
|
||||||
|
# misidentifying this package as VS Code (see #7071).
|
||||||
|
jq --slurp '.[0] * .[1] | .name = "code-oss-dev"' \
|
||||||
"$VSCODE_SRC_PATH/remote/package.json" \
|
"$VSCODE_SRC_PATH/remote/package.json" \
|
||||||
"$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
|
"$VSCODE_OUT_PATH/package.json" > "$VSCODE_OUT_PATH/package.json.merged"
|
||||||
mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
|
mv "$VSCODE_OUT_PATH/package.json.merged" "$VSCODE_OUT_PATH/package.json"
|
||||||
|
|||||||
Reference in New Issue
Block a user