search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.28k stars 363 forks source link

fix(guided remediation): handle extraneous/missing packages in package-lock.json more leniently #1394

Closed michaelkedar closed 1 week ago

michaelkedar commented 2 weeks ago

Changes two things for package-lock.json parsing:

  1. Made it so packages installed in unknown locations (e.g. under a non-existent package) are ignored (following npm's behaviour), instead of triggering a panic.
  2. Made missing dependencies in the lockfile not cause an error. npm would typically raise an error here, unless the missing dependency under a workspace's dependency graph. I think it's ok if we're more lenient than npm here.
codecov-commenter commented 2 weeks ago

Codecov Report

Attention: Patch coverage is 70.42254% with 21 lines in your changes missing coverage. Please review.

Project coverage is 68.88%. Comparing base (9a303ec) to head (3344c6f). Report is 5 commits behind head on main.

Files with missing lines Patch % Lines
internal/resolution/lockfile/npm_v2.go 66.66% 7 Missing and 3 partials :warning:
internal/resolution/lockfile/npm_v1.go 70.00% 7 Missing and 2 partials :warning:
internal/resolution/lockfile/npm.go 81.81% 1 Missing and 1 partial :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #1394 +/- ## ========================================== - Coverage 69.02% 68.88% -0.14% ========================================== Files 185 185 Lines 17869 17950 +81 ========================================== + Hits 12334 12365 +31 - Misses 4876 4916 +40 - Partials 659 669 +10 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

🚨 Try these New Features: