Skip to content

feat: parse all lockfiles and load all databases before checking for vulnerabilities#101

Merged
G-Rath merged 1 commit intomainfrom
change-order
Jun 10, 2022
Merged

feat: parse all lockfiles and load all databases before checking for vulnerabilities#101
G-Rath merged 1 commit intomainfrom
change-order

Conversation

@G-Rath
Copy link
Owner

@G-Rath G-Rath commented Jun 10, 2022

I sort of did this when toying with a possible improvement with #94, and it is technically an improvement because it means we're only loading each database once instead of per lockfile

The real improvement (and reason for landing this) imo is that now the database loading details are outputted first:

❯ osv-detector-t .
Loading OSV databases for the following ecosystems:
  npm (2427 vulnerabilities, including withdrawn - last updated Fri, 10 Jun 2022 00:28:07 GMT)
  PyPI (3172 vulnerabilities, including withdrawn - last updated Fri, 10 Jun 2022 00:46:34 GMT)

package-lock.json: found 1183 packages
  ansi-regex@3.0.0 is affected by the following vulnerabilities:
    GHSA-93q8-gq69-wqmw:  Inefficient Regular Expression Complexity in chalk/ansi-regex (https://github.com/advisories/GHSA-93q8-gq69-wqmw)
  nanoid@3.1.23 is affected by the following vulnerabilities:
    GHSA-qrpm-p2h7-hrv2: Exposure of Sensitive Information to an Unauthorized Actor in nanoid (https://github.com/advisories/GHSA-qrpm-p2h7-hrv2)
  xmldom@0.1.31 is affected by the following vulnerabilities:
    GHSA-5fg8-2547-mr8q: Misinterpretation of malicious XML input (https://github.com/advisories/GHSA-5fg8-2547-mr8q)
    GHSA-h6q6-9hqw-rwfv: Misinterpretation of malicious XML input (https://github.com/advisories/GHSA-h6q6-9hqw-rwfv)

  4 known vulnerabilities found in package-lock.json

requirements.txt: found 142 packages
  django@2.2.27 is affected by the following vulnerabilities:
    GHSA-2gwj-7jmv-h26r: SQL Injection in Django (https://github.com/advisories/GHSA-2gwj-7jmv-h26r)
    GHSA-w24h-v9qh-8gxj: SQL Injection in Django (https://github.com/advisories/GHSA-w24h-v9qh-8gxj)

  2 known vulnerabilities found in requirements.txt

I personally think that's a bit nicer because it's less noise when copying the output for a specific manifest.

Technically we could now optimise the loading of the databases to be done in parallel but they load pretty quickly already so I've not done that yet (though I'll probably do it at some point)

@G-Rath G-Rath merged commit d592a4b into main Jun 10, 2022
@G-Rath G-Rath deleted the change-order branch June 10, 2022 02:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@G-Rath