Closed guillermaster closed 2 years ago
hey @guillermaster! 👋🏻 Otsukaresamedesu! 😮 thanks for sharing this! I wasn't aware of it. Let me look into it ...
Any updates on this? :)
Hi @ocean89, sorry that I didn't post an update on this issue. The last time I checked, this would require a major rework in processing the security report and might need to handle existing numeric values for backward compatibility. At the moment I don't have much capacity to work on it and would appreciate it if anyone can help with this
I did put in a PR for a first crack at implementing this. I'm sure it could use some polishing but may be a good starting point.
This change is essentially required for this package to continue to be useful and I think it should be prioritized. The IDs provided by npm audit
have been changing rapidly over the past few days; in some cases I've seen a vulnerability have three or four different IDs
I agree to prioritize this, perhaps there is no feasible solution to support the v7 report now (due to lack of info provided in the audit report), but let's focus on v6 support first 👍🏻
hey all, I've published the beta
version (or v3.7.0) for supporting CVE, CWE, GHSA, and URL IDs. Please try it out and let me know if there is an issue, otherwise, I will republish it under the latest tag next week.
Thank you all again for this amazing support 👍🏻
Thank you @jeemok for the update and this great project!
Thank you @jeemok for addressing this so promptly. Your comment says that CVEs are supported, but I haven't found this to be the case. Is CVE support only available for npm v6?
I can confirm that v3.7.0 does allow me to add exceptions using GHSAs on npm v8.1.0
you're right @ZedLove, I will update the README to describe more in detail what is supported; in summary:
you can refer to these two functions that handle v6 and v7+ advisory for what it checks:
@jeemok I've noticed that, despite ignoring the advisories based on GHSA IDs, I am still seeing the notice about the IDs not matching any found vulns
e.g.
🤝 All good!
8 of the excluded vulnerabilities did not match any of the found vulnerabilities:
hey @ZedLove, I've updated the unused exception handler and published it under v3.7.1
. Please have a try and let me know if there is an issue :)
the version v3.7.1
is published under the latest
tag, I'll mark this issue closed. Thank you all for your contribution to this!
Hi @jeemok
Now that the NPM vulnerabilities advisory have been migrated to GitHub, the vulnerabilities identifier has changed. Vulnerabilities are now identified by a CVE ID that is an alphanumeric code, as you can see in this example Prototype Pollution in set-value.
I'm opening this issue so we can use the CVE ID in the list of ignored vulnerabilities instead of the long numeric value that is being used at the moment (i.e., 1002401) and that it's not identifiable when opening the advisory report on GitHub.
By the way, the recent updates on the package look great! Otsukaresama!