code version instead of code-server version stored in package.json file causing false positive Critical CVE detection

[mirekphd]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

Local, remote OS: Ubuntu 22.04
Remote Architecture: amd64

$ code-server --version
4.95.1 344df3875fee5979b5fda0c6bf00778d0ef1be48 with Code 1.95.1

Steps to Reproduce

1. Having installed latest code-server check its version using two methods:

a) the --version switch:

$ code-server --version
4.95.1 344df3875fee5979b5fda0c6bf00778d0ef1be48 with Code 1.95.1

versus:

b) the version stored in package.json:

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "1.95.1",
  "private": true,
  "dependencies": {
    "@microsoft/1ds-core-js": "^3.2.13",
    "@microsoft/1ds-post-js": "^3.2.13",
    "@parcel/watcher": "2.1.0",
    "@vscode/deviceid": "^0.1.1",
    "@vscode/iconv-lite-umd": "0.7.0",
    "@vscode/proxy-agent": "^0.22.0",
    "@vscode/ripgrep": "^1.15.9",
    "@vscode/spdlog": "^0.15.0",
    "@vscode/tree-sitter-wasm": "^0.0.4",
    "@vscode/vscode-languagedetection": "1.0.21",
    "@vscode/windows-process-tree": "^0.6.0",
    "@vscode/windows-registry": "^1.1.0",
    "@xterm/addon-clipboard": "^0.2.0-beta.48",
    "@xterm/addon-image": "^0.9.0-beta.65",
    "@xterm/addon-search": "^0.16.0-beta.65",
    "@xterm/addon-serialize": "^0.14.0-beta.65",
    "@xterm/addon-unicode11": "^0.9.0-beta.65",
    "@xterm/addon-webgl": "^0.19.0-beta.65",
    "@xterm/headless": "^5.6.0-beta.65",
    "@xterm/xterm": "^5.6.0-beta.65",
    "cookie": "^0.7.0",
    "http-proxy-agent": "^7.0.0",
    "https-proxy-agent": "^7.0.2",
    "jschardet": "3.1.4",
    "kerberos": "2.1.1",
    "minimist": "^1.2.6",
    "native-watchdog": "^1.4.1",
    "node-pty": "^1.1.0-beta22",
    "tas-client-umd": "0.2.0",
    "vscode-oniguruma": "1.7.0",
    "vscode-regexpp": "^3.1.0",
    "vscode-textmate": "9.1.0",
    "yauzl": "^3.0.0",
    "yazl": "^2.4.3"
  },
  "overrides": {
    "node-gyp-build": "4.8.1",
    "[email protected]": {
      "node-addon-api": "7.1.0"
    },
    "@parcel/[email protected]": {
      "node-addon-api": "7.1.0"
    }
  },
  "type": "module"
}

2. Run a vulnerability scanner such as Anchore Grype and see this false positive:

Package                              Version_Installed         Vulnerability_ID     .Severity  Locations_RealPath
 code-server                          1.95.1                    GHSA-frjg-g767-7363  Critical   /usr/lib/code-server/lib/vscode/package.json

Expected

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "4.95.1",
[..]

Actual

$ cat /usr/lib/code-server/lib/vscode/package.json
{
  "name": "code-server",
  "version": "1.95.1",
[..]

Logs

No response

Screenshot/Video

No response

Does this bug reproduce in native VS Code?

This cannot be tested in native VS Code

Does this bug reproduce in GitHub Codespaces?

Yes, this is also broken in GitHub Codespaces

Are you accessing code-server over a secure context?

• I am using a secure context.

Notes

No response

[code-asher]

Hmm this is maybe tricky. The version number is accurate because it is meant to be the version of VS Code, which is 1.95.1.

But maybe we should change the name to code-oss or something like that.

[mirekphd]

But maybe we should change the name to code-oss or something like that.

There are two app names and two versions here, so the full info would be two key:value pairs... or at least a matching pair :) Now we have a key from one pair and a value from another...

[code-asher]

We have two package.json files, one in the root and one in lib/vscode, the root one is code-server and the lib/vscode one is code-oss, which I think makes sense because architecturally they are implemented as separate applications and are separate codebases.