fix: Dockerfile to reduce vulnerabilities

[rajapandi1234]

The following vulnerabilities are fixed with an upgrade:

• https://snyk.io/vuln/SNYK-UPSTREAM-NODE-6255385
• https://snyk.io/vuln/SNYK-UPSTREAM-NODE-8379641
• https://snyk.io/vuln/SNYK-UPSTREAM-NODE-6252334
• https://snyk.io/vuln/SNYK-UPSTREAM-NODE-6252328
• https://snyk.io/vuln/SNYK-UPSTREAM-NODE-6615824

Summary by CodeRabbit

• Documentation

  • Added comprehensive license and copyright documentation for included components and third-party dependencies.

• Chores

  • Updated Node.js runtime version for deployment environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The pull request updates the Node.js base image in the Dockerfile from node:lts-alpine3.17 to node:20.18.1-alpine3.20, and introduces three new license documentation files: Apache-2.0.txt, BSD-2-Clause.txt, and a NOTICE file consolidating copyright and third-party license attributions.

Changes

Cohort / File(s)	Summary
Docker base image update Dockerfile	Base image upgraded from node:lts-alpine3.17 to node:20.18.1-alpine3.20; all other instructions unchanged.
License documents licenses/Apache-2.0.txt, licenses/BSD-2-Clause.txt, licenses/NOTICE	Added Apache License 2.0 full text, BSD 2-Clause boilerplate, and consolidated NOTICE file with copyright notices and third-party license attributions organized by license family.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• Create THIRD-PARTY-NOTICES #173: Adds third-party notices and references license documents in the licenses directory, complementing these new license file additions.

Suggested reviewers

• Mahesh-Binayak

Poem

🐰 ✨
Node updated, twenty's here to stay,
Licenses bundled, all debts repay,
Alpine fresh, licenses in place,
Compliance hops with elegant grace! 🍃

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: Dockerfile to reduce vulnerabilities' accurately reflects the main change: updating the Dockerfile base image from node:lts-alpine3.17 to node:20.18.1-alpine3.20 to address upstream Node.js vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

11-12: Update npm to a secure version; 10.2.3 has known security vulnerabilities.

npm 10.2.3 (released November 2023) has multiple known CVEs including CVE-2024-28863, CVE-2024-21538, CVE-2024-29415, and CVE-2023-42282 with severities ranging from low to critical. Node.js 20.18.1 ships with npm 10.8.2. Update the Dockerfile to use at least npm 10.8.2 or preferably the latest stable version.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 83de289 and f36c272.

📒 Files selected for processing (4)

• Dockerfile
• licenses/Apache-2.0.txt
• licenses/BSD-2-Clause.txt
• licenses/NOTICE

🧰 Additional context used

🪛 LanguageTool

licenses/Apache-2.0.txt

[style] ~51-~51: ‘any and all’ might be wordy. Consider a shorter alternative.
Context: ...ge, computer failure or malfunction, or any and all other commercial damages or losses), ev...

(EN_WORDINESS_PREMIUM_ANY_AND_ALL)

🔇 Additional comments (4)

licenses/BSD-2-Clause.txt (1)

1-9: LGTM!

The BSD-2-Clause license text is standard and correctly formatted for PostgreSQL. The copyright notice and license terms are appropriate.

licenses/NOTICE (2)

1-196: LGTM! Well-structured third-party attribution document.

The NOTICE file comprehensively lists third-party components organized by license family, with appropriate copyright attributions and license references.

---

160-166: Note: JSON License is flagged as non-OSI approved.

The file correctly identifies that the JSON License (used by org.json:json version 20180130) is not OSI-approved. Be aware that this license includes the controversial clause "The Software shall be used for Good, not Evil," which some organizations consider problematic. Consider whether this dependency should be replaced with a JSON library under a more permissive license.

If you'd like to explore alternatives, I can help identify JSON libraries with OSI-approved licenses that could replace this dependency.

licenses/Apache-2.0.txt (1)

1-73: LGTM!

This is the standard Apache License, Version 2.0 text, correctly formatted and complete. The static analysis hint about wordiness on line 51 can be safely ignored, as this is unmodifiable legal boilerplate text.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest Node 20.x and Alpine versions

echo "=== Checking Node.js versions ==="
curl -s https://nodejs.org/dist/index.json | jq -r '[.[] | select(.version | startswith("v20."))] | .[0:3] | .[] | {version, lts}'

echo -e "\n=== Checking Alpine Linux latest stable version ==="
curl -s https://alpinelinux.org/downloads/ 2>/dev/null | grep -i "3.20\|3.21\|3.19" | head -5 || echo "Direct fetch failed, checking alternative source"

echo -e "\n=== Checking Node 20.18.1 release date ==="
curl -s https://nodejs.org/dist/index.json | jq -r '.[] | select(.version == "v20.18.1") | {version, date, lts}'

Repository: mosip/mosip-onboarding

Length of output: 400

---

🌐 Web query:

Node.js 20.18.1 security vulnerabilities CVE advisories

💡 Result:

Here are known CVE advisories that list or affect Node.js 20.18.1 (concise summary + recommendation):

• CVE-2025-23090 — diagnostics_channel exposes internal worker instances allowing constructor access when using the experimental permission model; affects Node.js 20.18.1. Upgrade to a patched Node.js release. [1]

• CVE-2024-22018 — permission-model flaw allowing fs.lstat to return stats for files without explicit read permission (affects Node.js 20 permission-model users). [3]

• CVE-2024-21891 / CVE-2024-21896 (permission-model path traversal issues) — multiple permission-model bypasses via path traversal/normalization flaws that affect Node.js 20.x (including 20.18.1 in distro builds). [2][4]

• CVE-2024-22019, CVE-2024-21892, CVE-2023-46809 — other high/medium security fixes called out in the Feb 14, 2024 Node.js security releases that apply to active 20.x line (DoS, capability/privilege issues, crypto timing side-channels). See Node.js security release notes for details. [2]

Recommended action: upgrade any Node.js 20.18.1 installations to the latest 20.x security-patched release (or a newer LTS) and follow Node.js security release notes for mitigation steps. Official Node.js advisory and release notes list the fixes and affected CVEs. [2][1][3]

Sources:

1. CVE-2025-23090 advisory summary. [1]
2. Node.js security releases (Feb 14, 2024) — list of CVEs/fixes affecting 20.x. [2]
3. NVD entry for CVE-2024-22018. [3]
4. Distribution/security trackers discussing permission-model path-traversal CVEs (CVE-2024-21891 / CVE-2024-21896). [4]

If you want, I can: (a) fetch the latest patched Node.js 20.x release number available now, or (b) produce exact upgrade commands for your OS/container — which would you prefer?

---

🌐 Web query:

Alpine Linux 3.20 security advisories vulnerabilities

💡 Result:

Here are notable security advisories / CVEs that affected Alpine Linux 3.20 (selected, not exhaustive):

• CVE-2024-12797 — OpenSSL RPK/TLS server-authentication issue (patched in 3.20.x). [1][4]
• CVE-2024-13176 — OpenSSL issue included in later 3.20 updates. [4]
• CVE-2024-4741 — OpenSSL (listed in 3.20.1 release notes). [0]
• CVE-2024-5535 — OpenSSL (low severity; fixed in 3.20.2). [1]
• CVE-2024-39689 — certifi (Python cert bundle) affecting some 3.20 images/packages. [5]
• CVE-2024-45492 — libexpat integer-overflow (reported against 3.20.2; fixed in later libexpat). [9]
• CVE-2024-6119 — OpenSSL-related fix included in 3.20.3 updates. [7]
• CVE-2024-9143 — OpenSSL fix (included in 3.20.4). [8]
• CVE-2025-26519 — musl libc issue listed in a 3.20 maintenance release (Feb 13, 2025). [4]

Sources: Alpine release/security posts and issue trackers — Alpine Linux release announcements and security pages. [0][1][4][5][7][8][9]

If you want a complete, up-to-date list filtered by severity or package (or links to each Alpine security page/CVE entry), I can fetch and produce that.

---

🌐 Web query:

SNYK-UPSTREAM-NODE-6255385 SNYK-UPSTREAM-NODE-8379641 vulnerability fix

💡 Result:

Short answer — upgrade Node.js to a patched release.

• SNYK-UPSTREAM-NODE-6255385 (Path traversal, CVE-2024-21891): fix by upgrading node to 20.11.1, 21.6.2 or higher. [1]
• SNYK-UPSTREAM-NODE-8379641 (SSRF, CVE-2024-24806): fix by upgrading node to 18.19.1, 20.11.1, 21.6.2 or higher. [2]

References:
[1] Snyk — SNYK-UPSTREAM-NODE-6255385 (Path Traversal / CVE-2024-21891).
[2] Snyk — SNYK-UPSTREAM-NODE-8379641 (SSRF / CVE-2024-24806).

---

🌐 Web query:

SNYK-UPSTREAM-NODE-6252334 SNYK-UPSTREAM-NODE-6252328 SNYK-UPSTREAM-NODE-6615824 vulnerability

💡 Result:

Brief summary — these are three Node.js upstream vulnerabilities reported by Snyk:

1. SNYK-UPSTREAM-NODE-6252334 — Path Traversal (CVE-2024-21896). Affects Node 20.0.0–20.11.1 and 21.0.0–21.6.2 via monkeypatching Buffer.prototype.utf8Write → path.resolve; can lead to arbitrary file access. Remediation: upgrade Node to 20.11.1, 21.6.2 or later. [1]

2. SNYK-UPSTREAM-NODE-6252328 — Allocation of Resources Without Limits or Throttling (CVE-2024-22019). Affects certain 18.x/19.x/20.x/21.x ranges; allows DoS by reading an unbounded number of bytes from a connection. Remediation: upgrade Node to 18.19.1, 20.11.1, 21.6.2 or later. [2]

3. SNYK-UPSTREAM-NODE-6615824 — Code injection (CVE-2024-27980). Windows-only issue in child_process.spawn/spawnSync batch-file handling allowing command injection even when shell=false. Remediation: upgrade Node to 18.20.2, 20.12.2, 21.7.3 or later. [3]

If you want, I can:

• Check if your project uses vulnerable Node versions (tell me your package/docker base image), or
• Show the exact Snyk / Node.js GitHub references and CVE pages.

---

🌐 Web query:

Node.js 20.18.1 latest available patch release January 2025

💡 Result:

The Node.js security release on January 21, 2025 updated the 20.x line to v20.18.2 (published to address vulnerabilities). v20.18.1 was the prior patch. [1][2]

Sources:
[1] Node.js: "Tuesday, January 21, 2025 Security Releases" (lists v20.18.2).
[2] npm package listing for node v20.18.1 (shows v20.18.1 as the earlier patch).

---

Update Node.js to 20.19.6 or at minimum 20.18.2 to address unfixed security vulnerabilities.

The listed Snyk vulnerabilities (SNYK-UPSTREAM-NODE-6255385, SNYK-UPSTREAM-NODE-8379641, SNYK-UPSTREAM-NODE-6252334, SNYK-UPSTREAM-NODE-6252328, SNYK-UPSTREAM-NODE-6615824) are resolved by Node 20.18.1. However, Node 20.18.1 is not the current patch for the 20.x line:

• Latest stable Node 20.x is 20.19.6
• A newer patch (20.18.2) was released on January 21, 2025
• Node 20.18.1 itself has unfixed CVE-2025-23090 (diagnostics_channel vulnerability)

Upgrade to Node 20.19.6 for the latest security patches, or at minimum to 20.18.2.

🤖 Prompt for AI Agents

In Dockerfile at lines 1 to 1, the base image is pinned to node:20.18.1 which
contains unfixed security vulnerabilities; update the FROM line to use a patched
Node 20.x release such as node:20.19.6 (preferred) or at minimum node:20.18.2 to
resolve the listed CVEs and Snyk findings, then rebuild and test the image to
ensure compatibility with the updated Node patch level.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if THIRD-PARTY-NOTICES.txt exists in the repository
fd -t f "THIRD-PARTY-NOTICES.txt"

Repository: mosip/mosip-onboarding

Length of output: 48

---

🏁 Script executed:

#!/bin/bash
# Search for files with similar names or variations
fd -t f -i "third.*party\|notice" licenses/

Repository: mosip/mosip-onboarding

Length of output: 48

---

🏁 Script executed:

#!/bin/bash
# List all files in licenses directory
ls -la licenses/

Repository: mosip/mosip-onboarding

Length of output: 368

---

🏁 Script executed:

#!/bin/bash
# Show lines 193-194 from licenses/NOTICE
sed -n '193,194p' licenses/NOTICE

Repository: mosip/mosip-onboarding

Length of output: 167

---

Create THIRD-PARTY-NOTICES.txt or update the reference in NOTICE.

The NOTICE file (lines 193-194) references a THIRD-PARTY-NOTICES.txt file that does not exist in the repository. Either create this file with the appropriate third-party license information, or remove/update the reference in NOTICE.

🤖 Prompt for AI Agents

licenses/NOTICE around lines 193-194: the NOTICE references a
THIRD-PARTY-NOTICES.txt that is missing; either create a new
THIRD-PARTY-NOTICES.txt at the repository root containing the third-party
dependency names, their licenses, and any required attribution statements
(matching SPDX identifiers and project homepages), then commit and ensure the
NOTICE reference path is correct, or update the NOTICE lines to remove or
correct the reference to the actual file name/location; ensure the NOTICE text
and the new/updated file are consistent and include required license
attributions.