clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
84 stars 9 forks source link

[GithubAdvisory] Fix Matching-cve for allowlist config #59

Closed markomafs closed 8 months ago

markomafs commented 8 months ago

Context

Github Advisory not working due to skipping all CVE when not present at allowlist resource. We also find out, during debug, that the bypass CVE feature wasn't working.

Why?

We were using the wrong data struct to evaluate if the CVE should be bypassed or not. Also, were using DateTime at the logical validation, but using Date (time/today) at entrypoint calls.

Approach