Feature: Vulnerabilities: Add responsible direct dependencies and link to report #3664
Comments
|
I was playing around with adding file locations to the vuln check the other day. There's still work to do, but it currently looks something like this:
See #3161 |
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
|
The package file would also very helpful. We've a lot test fiuxtures on renovatebot repo and it's pretty hard to find the file to the vulnerable package. The current report is useless for it. 😞 |
Dont have the time to work on this right this second, but I've pushed my WIP to a branch https://github.com/spencerschrock/scorecard/tree/vuln-line-info-rebased: Here's what I'm seeing $ go run main.go --repo renovatebot/renovate --checks Vulnerabilities --format json --show-details | jq
{
"date": "2024-01-17T09:55:35-08:00",
"repo": {
"name": "github.com/renovatebot/renovate",
"commit": "9bf06584aa9b2398a8a7914150fdf711e2a6f3b4"
},
"scorecard": {
"version": "",
"commit": "unknown"
},
"score": 9.0,
"checks": [
{
"details": [
"Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j: /lib/modules/manager/npm/post-update/__fixtures__/update-lockfile-massage-1/package-lock.json: (postcss)"
],
"score": 9,
"reason": "1 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
} |
|
thanks, we're now deleting the test fixtures before running the scorecard action. this should solve the false positives for us. but the other information would be useful anyways. |
I don't think this will actually fix the false positive sorry. We grab the tarball from GitHub, not the local checkout. Allowing maintainers to mark test data directories is something we're working on this quarter. |
|
This issue has been marked stale because it has been open for 60 days with no activity. |
|
not stale 😞 |
|
This issue has been marked stale because it has been open for 60 days with no activity. |
Is your feature request related to a problem? Please describe.
The details of the Vulnerabilities check currently simply displays the OSV/CVE/GHSA IDs of vulnerabilities found in the project or its (direct and transitive) dependencies. Users must then search online to know what each vulnerability is about and find the package that contains it. If it's a transitive dependency, they must then (somehow) identify which of their direct dependencies are responsible.
Describe the solution you'd like
The output should describe which dependency has the vulnerability. If it's a transitive dependency, it should instead (or also) display the direct dependencies that brought it into this project.
It'd also be great to include direct links to the vulnerability reports themselves.
The text was updated successfully, but these errors were encountered: