Comments (7)
I just created a repo with only the package-lock.json and it did detect the vulnerable packages. I don't love the info in the report though, as it doesn't even mention the vulnerable package or package version. It's just the ID of the vulnerability report. I can Google that to get the vulnerability details though. It would be nice if it linked to the vulnerability report at least.
This has revealed a shortcoming to me of the design philosophy of this tool. As new vulnerabilities are discovered for existing dependencies, those vulnerabilities won't be detected until I update a dependency for the impacted project.
from betterscan.
For the sake of efficiency, I'd imagine it would be best to only scan head for dependency issues, rather than each commit snapshot.
from betterscan.
This is working for new repositories, but not existing repositories that already have scan data for the dependency files. How easy would it be to write a python script to purge scan results for the dependency files?
from betterscan.
@carlin-q-scott Away from the keyboard. Theoretically you can modify the file package-lock.json
or remove it from state db
Osv-scanner should be working, as well as others.
from betterscan.
@carlin-q-scott It can be adjusted to always scan dependencies dbs i.e package-lock.json
and others. This could address it. What do you think?
More details can be also added to description field, everything can be extracted.
I will look into it as time permits, PRs are also welcome.
Will rethink to make it better in PRO version
from betterscan.
I like your idea of always scanning dependency files. That alleviates my main concern in this issue.
I can open separate issues calling out various fields I'd like to see in my BetterScan report; issue per scanner? And if I have time I'll look into implementing those improvements myself.
from betterscan.
Thank you @carlin-q-scott
I think you can either modify each lockfile (new line or something?), maybe 2 commits, one modification other revert? maybe easier to do or go through state database and remove entries for package files.
If you can contribute with a script, could be great (possibly also for other state db mangling)
from betterscan.
Related Issues (20)
- Private github repo fails to fetch despite adding public ssh key to github account? HOT 1
- only enable specified plugins HOT 2
- CE edition default run requires PRO to view files? HOT 2
- Purchased Pro License in September haven't recieved it yet HOT 2
- No space left on device during build HOT 8
- betterscan/betterscan-ce image cannot be found HOT 3
- Error execution HOT 2
- Issue building docker images HOT 1
- Errors with server (backend) and worker images HOT 3
- Please consider adopting OpenSSF Scorecard HOT 1
- Update osv-scan to v1.1.0 to include support for NuGet and PIP HOT 1
- How can SBOM in cyclonedx format be integrated? HOT 2
- Docker is failing during building HOT 2
- Error during analysis HOT 4
- setup fails to create tasks directory and blocks worker from working on tasks HOT 2
- Getting error in checkmate issue HOT 12
- Is analyzers\yara\WShell_THOR_Webshells.yar an active exploit? HOT 3
- find_unicode_control2.py incorrectly flags UTF-8 BOM as a Trojan Source exploit HOT 1
- Checkmate error(?) HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from betterscan.