Skip to content

Fix false positive CVE alerts from bundled VS Code package.json#7839

Open
ka-ishimoto wants to merge 2 commits into
coder:mainfrom
ka-ishimoto:fix/version-mismatch-7071
Open

Fix false positive CVE alerts from bundled VS Code package.json#7839
ka-ishimoto wants to merge 2 commits into
coder:mainfrom
ka-ishimoto:fix/version-mismatch-7071

Conversation

@ka-ishimoto
Copy link
Copy Markdown

@ka-ishimoto ka-ishimoto commented Jun 5, 2026

Fixes #7071

The VS Code build process (gulpfile.reh.ts) writes product.json's
nameShort ("code-server") into the bundled lib/vscode/package.json
name field. Vulnerability scanners (e.g. Anchore Grype) then match
this against CVE databases using the combination of name: "code-server"
and version: "1.x.x" (the VS Code version), producing false positives
like GHSA-frjg-g767-7363.

This overrides the name to "code-oss-dev" in build-release.sh
after merging the package.json, so scanners can no longer match it
against known CVE entries for code-server.

@ka-ishimoto
Fix false positive CVE alerts by setting package name to code-oss-dev
dd6b227 
The VS Code build process sets the bundled lib/vscode/package.json name to "code-server" (from product.json nameShort), causing vulnerability scanners to misidentify it and flag non-applicable CVEs. Override the name to "code-oss-dev" in build-release.sh after merging package.json.
Fixes coder#7071

Signed-off-by: ka-ishimoto <ka-ishimoto@kddi.com>
@ka-ishimoto ka-ishimoto requested a review from a team as a code owner June 5, 2026 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

code version instead of code-server version stored in package.json file causing false positive Critical CVE detection

1 participant

@ka-ishimoto