Comments (7)
carlin-q-scott
commented on September 15, 2024
1
I just created a repo with only the package-lock.json and it did detect the vulnerable packages. I don't love the info in the report though, as it doesn't even mention the vulnerable package or package version. It's just the ID of the vulnerability report. I can Google that to get the vulnerability details though. It would be nice if it linked to the vulnerability report at least.
This has revealed a shortcoming to me of the design philosophy of this tool. As new vulnerabilities are discovered for existing dependencies, those vulnerabilities won't be detected until I update a dependency for the impacted project.
from betterscan.
carlin-q-scott
commented on September 15, 2024
1
For the sake of efficiency, I'd imagine it would be best to only scan head for dependency issues, rather than each commit snapshot.
from betterscan.
carlin-q-scott
commented on September 15, 2024
1
This is working for new repositories, but not existing repositories that already have scan data for the dependency files. How easy would it be to write a python script to purge scan results for the dependency files?
from betterscan.
marcinguy
commented on September 15, 2024
@carlin-q-scott Away from the keyboard. Theoretically you can modify the file package-lock.json or remove it from state db
Osv-scanner should be working, as well as others.
from betterscan.
marcinguy
commented on September 15, 2024
@carlin-q-scott It can be adjusted to always scan dependencies dbs i.e package-lock.json and others. This could address it. What do you think?
More details can be also added to description field, everything can be extracted.
I will look into it as time permits, PRs are also welcome.
Will rethink to make it better in PRO version
from betterscan.
carlin-q-scott
commented on September 15, 2024
I like your idea of always scanning dependency files. That alleviates my main concern in this issue.
I can open separate issues calling out various fields I'd like to see in my BetterScan report; issue per scanner? And if I have time I'll look into implementing those improvements myself.
from betterscan.
marcinguy
commented on September 15, 2024
Thank you @carlin-q-scott
I think you can either modify each lockfile (new line or something?), maybe 2 commits, one modification other revert? maybe easier to do or go through state database and remove entries for package files.
If you can contribute with a script, could be great (possibly also for other state db mangling)
from betterscan.
Related Issues (20)
- Private github repo fails to fetch despite adding public ssh key to github account? HOT 1
- only enable specified plugins HOT 2
- CE edition default run requires PRO to view files? HOT 2
- Purchased Pro License in September haven't recieved it yet HOT 2
- No space left on device during build HOT 8
- betterscan/betterscan-ce image cannot be found HOT 3
- Error execution HOT 2
- Issue building docker images HOT 1
- Errors with server (backend) and worker images HOT 3
- Please consider adopting OpenSSF Scorecard HOT 1
- Update osv-scan to v1.1.0 to include support for NuGet and PIP HOT 1
- How can SBOM in cyclonedx format be integrated? HOT 2
- Docker is failing during building HOT 2
- Error during analysis HOT 4
- setup fails to create tasks directory and blocks worker from working on tasks HOT 2
- Getting error in checkmate issue HOT 12
- Is analyzers\yara\WShell_THOR_Webshells.yar an active exploit? HOT 3
- find_unicode_control2.py incorrectly flags UTF-8 BOM as a Trojan Source exploit HOT 1
- Checkmate error(?) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from betterscan.