search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.52k stars 494 forks source link

Feature: Vulnerabilities: Add responsible direct dependencies and link to report #3664

Open pnacht opened 11 months ago

pnacht commented 11 months ago

Is your feature request related to a problem? Please describe. The details of the Vulnerabilities check currently simply displays the OSV/CVE/GHSA IDs of vulnerabilities found in the project or its (direct and transitive) dependencies. Users must then search online to know what each vulnerability is about and find the package that contains it. If it's a transitive dependency, they must then (somehow) identify which of their direct dependencies are responsible.

"details": [
  "Warn: Project is vulnerable to: GHSA-h4m5-qpfp-3mpv / PYSEC-2021-421"
]

Describe the solution you'd like The output should describe which dependency has the vulnerability. If it's a transitive dependency, it should instead (or also) display the direct dependencies that brought it into this project.

It'd also be great to include direct links to the vulnerability reports themselves.

"details": [
  "Warn: Project is vulnerable to: https://github.com/advisories/GHSA-h4m5-qpfp-3mpv in package 'babel' (imported by 'ahead')"
]
spencerschrock commented 11 months ago

I was playing around with adding file locations to the vuln check the other day. There's still work to do, but it currently looks something like this:

      "details": [
        "Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)",
        "Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)",
        "Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)",
        "Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)"
      ],

It'd also be great to include direct links to the vulnerability reports themselves

See #3161

Hamammal commented 11 months ago

كنت أتلاعب بإضافة مواقع الملفات إلى فحص vuln في ذلك اليوم. لا يزال هناك عمل يجب القيام به، ولكن يبدو حاليًا كما يلي:

      "details": [
        "Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)",
        "Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)",
        "Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)",
        "Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)"
      ],

سيكون من الرائع أيضًا تضمين روابط مباشرة لتقارير الثغرات الأمنية نفسها

انظر رقم 3161

Hamammal commented 11 months ago 
  "details": [
    "Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)",
    "Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)",
    "Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)",
    "Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)"
  ],
Hamammal commented 11 months ago

"details": [ "Warn: Project is vulnerable to: GO-2022-0646: /go.mod: (github.com/aws/aws-sdk-go)", "Warn: Project is vulnerable to: GO-2022-0646: /tools/go.mod: (github.com/aws/aws-sdk-go)", "Warn: Project is vulnerable to: GHSA-vfp6-jrw2-99g9: /tools/go.mod: (github.com/sigstore/cosign/v2)", "Warn: Project is vulnerable to: GO-2023-2181: /tools/go.mod: (github.com/sigstore/cosign/v2)" ],

viceice commented 9 months ago

The package file would also very helpful. We've a lot test fiuxtures on renovatebot repo and it's pretty hard to find the file to the vulnerable package. The current report is useless for it. 😞

spencerschrock commented 9 months ago

The package file would also very helpful. We've a lot test fiuxtures on renovatebot repo and it's pretty hard to find the file to the vulnerable package. The current report is useless for it. 😞

Dont have the time to work on this right this second, but I've pushed my WIP to a branch https://github.com/spencerschrock/scorecard/tree/vuln-line-info-rebased:

Here's what I'm seeing

$ go run main.go --repo renovatebot/renovate --checks Vulnerabilities --format json --show-details | jq
{
  "date": "2024-01-17T09:55:35-08:00",
  "repo": {
    "name": "github.com/renovatebot/renovate",
    "commit": "9bf06584aa9b2398a8a7914150fdf711e2a6f3b4"
  },
  "scorecard": {
    "version": "",
    "commit": "unknown"
  },
  "score": 9.0,
  "checks": [
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j: /lib/modules/manager/npm/post-update/__fixtures__/update-lockfile-massage-1/package-lock.json: (postcss)"
      ],
      "score": 9,
      "reason": "1 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}
viceice commented 9 months ago

thanks, we're now deleting the test fixtures before running the scorecard action. this should solve the false positives for us.

but the other information would be useful anyways.

spencerschrock commented 9 months ago

thanks, we're now deleting the test fixtures before running the scorecard action. this should solve the false positives for us.

I don't think this will actually fix the false positive sorry. We grab the tarball from GitHub, not the local checkout.

Allowing maintainers to mark test data directories is something we're working on this quarter.

github-actions[bot] commented 7 months ago

This issue has been marked stale because it has been open for 60 days with no activity.

viceice commented 6 months ago

not stale 😞

github-actions[bot] commented 3 months ago

This issue has been marked stale because it has been open for 60 days with no activity.