search

DataDog / guarddog

:snake: :mag: GuardDog is a CLI tool to Identify malicious PyPI and npm packages
https://securitylabs.datadoghq.com/articles/guarddog-identify-malicious-pypi-packages/
Apache License 2.0
611 stars 44 forks source link

Guarddog is scanning all dependency versions #362

Closed nicogomezpomelo closed 4 months ago

nicogomezpomelo commented 5 months ago

We observed the application takes a package.json and analyzes all the versions from the pinned one. This error occurs with the verify option. Example command: gg npm verify --exit-non-zero-on-finding package.json

Here is an extract of the package.json used: image

The following image shows how the app starts to scan multiple versions of apollo/subgraph: image

We also tried to remove all the ^ symbols to fix one particular version and force the app to scan that version, but we couldn't hit the nail. For now, our fix is to iterate over all the dependencies and use the scan flag

Searching in the code, we detected this behavior is referenced here:

Is this an issue or are we doing something wrong? Thanks

sobregosodd commented 5 months ago

Hello @nicogomezpomelo , Thanks for the suggestion, we agree that guarddog should be honouring the pinned package dependencies and also that the all possible versions scanning might be undesired in some cases. We'll discuss this internally and circle back here