Open jorgsowa opened 3 months ago
Yeah, I agree we aren't finding vulns in the current project. (See related comment https://github.com/google/osv-scanner/issues/416#issuecomment-1955438494)
I was curious if we did anything differently before the use of osv-scanner (#2509), and it seems like the answer is no
Currently the vulnerability check only checks if the HEAD commit hash has any vulnerability specified in OSV.dev
The commit hash check is still being done
Describe the bug Package https://github.com/elijaa/phpmemcachedadmin has disclosed a vulnerability https://osv.dev/vulnerability/CVE-2023-6026
However, the OSV scanner doesn't detect it, because it scans dependencies, not the package itself (!). As a result, the scorecard gives it 10/10 points.
Reproduction steps Steps to reproduce the behavior:
scorecard --repo=github.com/elijaa/phpmemcachedadmin
10 / 10 | Vulnerabilities | no vulnerabilities detected
Expected behavior As the vulnerability is known, the score shouldn't be 10/10.
Additional context