search

snyk-tech-services / snyk-delta

Other
19 stars 21 forks source link

Output says nothing was added/removed but command fails #170

Open radekjezdik opened 1 year ago

radekjezdik commented 1 year ago

Hi, I just ran snyk-delta on some old branch of go project. To my surprise, snyk-delta output showed that nothing new was added or removed (directly or indirectly), but new issues were nonetheless introduced. See the output:

Direct deps:
Added 0 

===============
Removed 0

##################
Indirect deps:
Added 0 

===============
Paths
===============
Removed 0
 []
_____________________________

New issues introduced !
Security Vulnerabilities:
  1/3: Denial of Service (DoS) [High Severity]
    Via: <REDACTED>
    Fixed in: <REDACTED> 0.7.0

  2/3: Denial of Service (DoS) [High Severity]
    Via: <REDACTED>
    Fixed in: <REDACTED> 0.7.0

  3/3: Denial of Service (DoS) [High Severity]
    Via: <REDACTED>
    Fixed in: <REDACTED> 0.7.0

Can you please explain in which cases this is possible? Is it because of some dynamic dependency resolution?

aarlaud commented 1 year ago

hum, I'm not sure. It does look like a case of a new vuln being disclosed impacting you existing deps, comparing it to a baseline that hasn't received that update. usually, the baseline is on the backend, retested daily, and therefore updated with the new vulns, but maybe that's not working for some reason (disabled, unable to retest for whatever reason, etc).