Skip to content

feat(nodejs): detect Node.js runtime version from header#10951

Open
jetersen wants to merge 1 commit into
aquasecurity:mainfrom
jetersen:feat/nodejs-runtime-version
Open

feat(nodejs): detect Node.js runtime version from header#10951
jetersen wants to merge 1 commit into
aquasecurity:mainfrom
jetersen:feat/nodejs-runtime-version

Conversation

@jetersen

@jetersen jetersen commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Feature discussion

Description

Detect the installed Node.js runtime version from the standard include/node/node_version.h header. The analyzer reads NODE_MAJOR_VERSION, NODE_MINOR_VERSION, and NODE_PATCH_VERSION, then emits node@<version> alongside other Node.js packages.

This covers manually installed runtimes such as the official Node.js container image, where no apk, dpkg, or rpm package metadata identifies the runtime.

Runtime CVE advisories are added by the companion trivy-db PR:

Both changes are required for runtime CVE reporting: this PR supplies the installed version; trivy-db supplies vulnerable and patched version ranges.

Verification

Official node:latest:

NODE_VERSION=26.5.0
/usr/local/include/node/node_version.h
node component: 26.5.0 pkg:npm/node@26.5.0

Testing

  • GOEXPERIMENT=jsonv2 go test ./pkg/fanal/analyzer/language/nodejs/pkg
  • End-to-end CycloneDX scan of node:latest
  • git diff --check

Notes

Image NODE_VERSION environment-variable fallback is intentionally not included; the standard installed header is used as the authoritative source.

Maintainer decision requested

The companion trivy-db importer has intentionally skipped Node.js core advisories since 2019. trivy-db PR #683 is therefore a deliberate behavior change, not merely wiring previously unused data. Pending confirmation that runtime CVE reporting—and use of package node in the npm ecosystem—is the desired model.

@jetersen
jetersen marked this pull request as ready for review July 11, 2026 14:18
@jetersen

Copy link
Copy Markdown
Contributor Author

This has useful to have access after a trivy scan besides for vulns but the ability to tell which image is using what nodejs version is a good diagnostic tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant