search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.52k stars 494 forks source link

BUG: Parsing error for yarn.lock (angular/angular) #3714

Closed DarkaMaul closed 10 months ago

DarkaMaul commented 10 months ago

Describe the bug

Parsing error in yarn.lock.

Reproduction steps Steps to reproduce the behavior:

  1. scorecard --repo=github.com/angular/angular --checks=Vulnerabilities
$ scorecard --repo=github.com/angular/angular --checks=Vulnerabilities
Starting [Vulnerabilities]
Failed to determine version of domino while parsing a yarn.lock - please report this!

Expected behavior

The check was successful .

Additional context

scorecard version
GitVersion:    4.13.1
GitCommit:     49c0eed3a423f00c872b5c3c9f1bbca9e8aae799
GitTreeState:  clean
BuildDate:     2023-10-20T21:13:08Z
GoVersion:     go1.21.3
Compiler:      gc
Platform:      darwin/arm64
spencerschrock commented 10 months ago

This is actually a problem in osv-scanner. The error message is coming from that application/library.

It was reported and fixed upstream in v1.4.2 of the library. Which Scorecard upgraded to in #3608. Unfortunately this was right after our v4.13.1 release, but it's been fixed at HEAD.

spencerschrock commented 10 months ago

Note: for the most part this is minor impact. domino gets skipped over when querying for vulns, but at least all the other packages get properly analyzed.