Closed schdief closed 1 year ago
Sounds to me more like NPM is unstable in its advisories (as you mention that even the advisory link doesn't work anymore). If so... there's nothing we can do on it. Essentially DependencyCheck just reports what the npm audit advisory reports.
I'm also seeing some weirdness that would be explained by this issue. Edit, also reported against npm cli: https://github.com/npm/cli/issues/4550
As for "there's nothing we can do" - npm audit does give the github advisory id and the associated CVEs, so suppressions could potentially be based off that? Given that npm is now owned by github and the advisory databases have been merged, I'd assume that every npm advisory has exactly one github advisory associated with it (though I have to say I'd prefer to supress based on CVE rather than github advisory id if at all possible).
@aikebah I agree that the problem origins at NPM Audit, but you could provide another way to suppress its vulnerabilities, like @tstibbs suggested - instead of basing it on the advisoryid you could use the CVE, if this is not feasable I would be ok with suppressing the whole package
option 1 - use CVE:
<suppress>
<notes><![CDATA[
file name: handlebars:4.7.6
]]></notes>
<packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
<vulnerabilityName>CVE-2021-23383</vulnerabilityName>
</suppress>
option 2 - use package:
<suppress>
<notes><![CDATA[
file name: handlebars:4.7.6
]]></notes>
<packageUrl regex="true">^pkg:npm/handlebars@.*$</packageUrl>
</suppress>
Is this resolved by PR #5546?
@A-Fitz-Nelnet yes, that should resolve it indeed. Sounds like I somehow overlooked it in tagging the various related issues.
Describe the bug We have multiple suppressions for vulnerabilities raised by NPM Audit Analyzer. From time to time the same vulnerabilties show up again as new ones, so we suppress them again. Later they come back again.
So I have checked the suppression rules (generated from html-report) and noticed that they all have a different vulnerability names although it is the same vulnerability. When I try to access information about the vulnerability with the provided link and the vulnerability name, all the old suppressions land nowhere (404), e. g.: https://www.npmjs.com/advisories/1005325
It seems to me, that the vulnerability name changes over time, although the vulnerability is the same.
This is a screenshot of the HTML report:
This is the list of suppressions for one of the vulnerabities:
Version of dependency-check used Docker Image with CLI dependency-check version: 7.0.0 sha256:d465e5210743ceb82da30465db7af926912798c4a45a972c0f884eff5d783007
Log file
To Reproduce Steps to reproduce the behavior:
Expected behavior Vulnerability names shouldn't change over time so a suppression will work forever.
Additional context