-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unkown Github Vulnerability Id GMS-2022-20 #2034
Comments
I think I would prefer to have the CVE (if one exists) reported because CVE-2021-41190 affects multiple projects and I have found three Github Security Advisories that reference the CVE so far. |
Okay, I've found GMS-2022-20. But this seems to be more like an internal id of Gitlab Advisory Database and nothing public. Also, this YAML includes the original id of the Github advisory which should be shown in trivy instead of the Gitlab id:
|
More deep diving into the details: Gitlab Source seems to be https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qq97-vm5h-rrhg/GHSA-qq97-vm5h-rrhg.json which I would say is the source for GHSA-qq97-vm5h-rrhg But the origin seems be GHSA-qq97-vm5h-rrhg directly from the repository maintainers - which is the most current version and also has the CVE reference. But so far I can not find a machine readable format of this one |
Hello @mayrstefan We will add logic to select advisory id. Regards, Dmitriy |
we did some changes in it should resolve this issue. |
Description
Looking at the findings of #2033 we see GMS-2022-20 reported as a vulnerability id. This seems to be an unkown format.
What did you expect to happen?
I expected an id to be reported that I can find on the internet.
What happened instead?
Instead I found GHSA-qq97-vm5h-rrhg which seems to be the reported vulnerability but has a different id.
Also this vulnerability has already a CVE assigned. I'm not sure which id should be reported in that case.
Output of
trivy -v
:Additional details (base image name, container registry info...):
Fun fact: the JSON output contains an URL using the correct id:
looking at:
The text was updated successfully, but these errors were encountered: