Open pnacht opened 11 months ago
I was playing around with adding file locations to the vuln check the other day. There's still work to do, but it currently looks something like this:
"details": [
"Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)",
"Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)",
"Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)",
"Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)"
],
It'd also be great to include direct links to the vulnerability reports themselves
See #3161
كنت أتلاعب بإضافة مواقع الملفات إلى فحص vuln في ذلك اليوم. لا يزال هناك عمل يجب القيام به، ولكن يبدو حاليًا كما يلي:
"details": [ "Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)", "Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)", "Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)", "Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)" ],
سيكون من الرائع أيضًا تضمين روابط مباشرة لتقارير الثغرات الأمنية نفسها
انظر رقم 3161
"details": [
"Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)",
"Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)",
"Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)",
"Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)"
],
"details": [ "Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)", "Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)", "Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)", "Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)" ],
The package file would also very helpful. We've a lot test fiuxtures on renovatebot repo and it's pretty hard to find the file to the vulnerable package. The current report is useless for it. 😞
The package file would also very helpful. We've a lot test fiuxtures on renovatebot repo and it's pretty hard to find the file to the vulnerable package. The current report is useless for it. 😞
Dont have the time to work on this right this second, but I've pushed my WIP to a branch https://github.com/spencerschrock/scorecard/tree/vuln-line-info-rebased:
Here's what I'm seeing
$ go run main.go --repo renovatebot/renovate --checks Vulnerabilities --format json --show-details | jq
{
"date": "2024-01-17T09:55:35-08:00",
"repo": {
"name": "github.com/renovatebot/renovate",
"commit": "9bf06584aa9b2398a8a7914150fdf711e2a6f3b4"
},
"scorecard": {
"version": "",
"commit": "unknown"
},
"score": 9.0,
"checks": [
{
"details": [
"Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j: /lib/modules/manager/npm/post-update/__fixtures__/update-lockfile-massage-1/package-lock.json: (postcss)"
],
"score": 9,
"reason": "1 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
}
thanks, we're now deleting the test fixtures before running the scorecard action. this should solve the false positives for us.
but the other information would be useful anyways.
thanks, we're now deleting the test fixtures before running the scorecard action. this should solve the false positives for us.
I don't think this will actually fix the false positive sorry. We grab the tarball from GitHub, not the local checkout.
Allowing maintainers to mark test data directories is something we're working on this quarter.
This issue has been marked stale because it has been open for 60 days with no activity.
not stale 😞
This issue has been marked stale because it has been open for 60 days with no activity.
Is your feature request related to a problem? Please describe. The details of the Vulnerabilities check currently simply displays the OSV/CVE/GHSA IDs of vulnerabilities found in the project or its (direct and transitive) dependencies. Users must then search online to know what each vulnerability is about and find the package that contains it. If it's a transitive dependency, they must then (somehow) identify which of their direct dependencies are responsible.
Describe the solution you'd like The output should describe which dependency has the vulnerability. If it's a transitive dependency, it should instead (or also) display the direct dependencies that brought it into this project.
It'd also be great to include direct links to the vulnerability reports themselves.