Incorrect number of vulnerabilities sent

kunalnagarco / action-cve

A GitHub action that sends Dependabot Vulnerability Alerts to multiple sources.

https://github.com/marketplace/actions/check-cve

MIT License

22 stars 22 forks source link

Incorrect number of vulnerabilities sent #137

Closed thenaturalist closed 7 months ago

thenaturalist commented 12 months ago

Hi there, for a vanilla config of the action posting to slack, the action correctly sends the alert.

However, it's an incorrect (as in, too low) number.

It's noteworthy that

a) the number sent is matching with relatively younger issues. b) much older issues are missing and changing count has no effect on number reported.

Is there a hardcoded lookback window in the action?

kunalnagar commented 8 months ago

@thenaturalist - for Slack, there's a max count of 30 vulns that are sent. This is because Slack truncates messages after 40,000 characters.

So, even though you may have more than 30 vulns in your repo, only 30 will be included in the message. However, the action does include a blurb about this as a warning.

Hope this helps!