AnchoreInc.grype-vscode · vsxplorer report

MEDIUM child-process-exec Extension spawns subprocesses via child_process

out/executable/Grype.js :85

`{file_path}` imports child_process and calls exec / spawn / execFile / fork. Subprocess execution lets the extension pivot from the VSCode host into the user's shell.

              const execOption = {
                  env: {
                      /* eslint-disable @typescript-eslint/naming-convention */
                      GRYPE_DB_CACHE_DIR: this.dbPath,
                      GRYPE_DB_AUTO_UPDATE: "0",
                      GRYPE_CHECK_FOR_APP_UPDATE: "0",
                      GRYPE_LOG_STRUCTURED: "TRUE",
                      PATH: process.env["PATH"],
                  },
              };
▶             const child = child_process_1.spawn(cmd, args, execOption);
              return new Promise((resolve, reject) => {
                  var _a, _b;
                  let stdout = "";
                  let stderr = "";
                  (_a = child.stdout) === null || _a === void 0 ? void 0 : _a.on("data", (data) => (stdout += data.toString()));
                  (_b = child.stderr) === null || _b === void 0 ? void 0 : _b.on("data", (data) => (stderr += data.toString()));
                  child.on("exit", (code) => {
                      if (code && code !== 0) {
                          const lastLine = (message) => {
                              const lines = message.split("\n");

Affected versions

marketplace 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.1.0, 0.1.1

MEDIUM wildcard-activation Extension activates on every VSCode launch

package.json

`package.json` declares `activationEvents: ['*']`, so the extension runs on every VSCode launch. Combined with any CRITICAL finding this widens the attack window from on-demand to always-on.

activationEvents: ['*']

Affected versions

marketplace 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.1.0, 0.1.1

Grype

Source coverage

Findings

Embed this verdict