Open kipz opened 3 years ago
@kipz Thanks for the detailed report. It looks like a bug for sure. Let me try to reproduce on a fresh instance
I've looked into it and this is because currently our npm importer fetches the data from https://github.com/nodejs/security-wg which doesn't contain the required advisory. The said repository is not handling ecosystem vulnerabilities. There appears to be an ongoing discussion regarding this.
In short, the advisory data from nodejs is different from that of npm. Ironically, we had https://github.com/nexB/vulnerablecode/issues/101 for collecting npm advisories which was closed in favor of the nodejs advisories.
We could either:
Further, there might be a problem with debian importer as the reported purl mentions pkg:deb/debian/node-ws@1.1.0
which should be unrelated to the affected versions mentioned in the github advisory. This could be a result of https://github.com/nexB/vulnerablecode/issues/140
@Hritik14 I get the feeling that nodejs-wg is abandoned last updated -> 3 months ago. Let's keep it as it is for awhile, meanwhile your (1) approach makes sense.
The won't be much work since the schemas both sources are indentical. See https://github.com/nexB/vulnerablecode/pull/228
I guess that there may be some slow down per https://github.com/nodejs/security-wg/issues/662 and we likely want to use both sources of https://registry.npmjs.org/-/npm/v1/security/advisories and https://github.com/nodejs/security-wg rather than just one in this case.
Actually the problem may be deeper than this: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7 ... this is basically close sourcing this source of npm issues at Snyk from the face of it. So IMHO:
We're running a vulnerablecode instance here https://vulnerablecode.atomist.com/, and have been doing some spot-checks on the data, and often see confusing results.
Take for example: https://nvd.nist.gov/vuln/detail/CVE-2021-32640
This was reported by Github, and is present on npmjs.org too.
However, a search for this on our vulnerablecode instance (on which we've run all the importers), doesn't show the npmjs package, just the debian ones (no purl with name
ws
, justnode-ws
)https://vulnerablecode.atomist.com/vulnerabilities/20110
I'm curious about whether this is expected or are there bugs somewhere in the importers? Perhaps one importer is overwriting data from another? Or perhaps the npm importer isn't storing any data?
FWIW: running
npm audit
on a project with an old version ofws
does suggest an upgrade, and this uses the same APIs as the npm importer AFAIK.Any insights would be much appreciated.