search

ossf / scorecard

OpenSSF Scorecard - Security health metrics for Open Source
https://scorecard.dev
Apache License 2.0
4.26k stars 462 forks source link

Vulnerable package has score 10/10 in Vulnerabilities #3946

Open jorgsowa opened 3 months ago

jorgsowa commented 3 months ago

Describe the bug Package https://github.com/elijaa/phpmemcachedadmin has disclosed a vulnerability https://osv.dev/vulnerability/CVE-2023-6026

However, the OSV scanner doesn't detect it, because it scans dependencies, not the package itself (!). As a result, the scorecard gives it 10/10 points.

Reproduction steps Steps to reproduce the behavior:

  1. Run scorecard --repo=github.com/elijaa/phpmemcachedadmin
  2. See 10 / 10 | Vulnerabilities | no vulnerabilities detected

Expected behavior As the vulnerability is known, the score shouldn't be 10/10.

Additional context

spencerschrock commented 3 months ago

Yeah, I agree we aren't finding vulns in the current project. (See related comment https://github.com/google/osv-scanner/issues/416#issuecomment-1955438494)

I was curious if we did anything differently before the use of osv-scanner (#2509), and it seems like the answer is no

Currently the vulnerability check only checks if the HEAD commit hash has any vulnerability specified in OSV.dev

The commit hash check is still being done