-
Notifications
You must be signed in to change notification settings - Fork 346
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Guide Remediation Vuln Filtering not working (--vulns=OSV-ID
)
#913
Comments
I think this might be caused by an oversight on my end. Could you please verify by manually relocking the project yourself, by either:
Then could you run the osv-scanner scan to check if the vulnerability is removed. Thanks for trying guided remediation and uncovering these issues, it's really appreciated!
Yes, that's a good idea. I do want to eventually support aliases better. |
Thanks @michaelkedar for taking a look! To add more context, the project has FWIW, I had better luck with a direct dependency of the project (
|
Just to clarify: were you able to fix the same issue interactively? "UNFIXABLE-VULNS: 1" in the CLI mode implies that it's a vulnerability which can't be fixed, because it's in a transitive dependency that can't be bumped through either relocking or bumping of direct dependencies. |
Also regarding re-locking, did you delete package-lock.json and node_modules/ first? I believe Re-locking typically does change your package-lock.json, even if package.json isn't changed. This is because npm's dependency resolution typically takes the latest versions available for all dependencies, leading to frequent changes in the resolved dependency graph. If you're able to share your package.json / package-lock.json, we'd be very happy to take a look! If you would prefer to send it in a private email, please send it to ochang@google.com :) |
Hello, I'm attached the package lockfiles below: OSV output
The vulnerability was GHSA-jf85-cpcp-j695, which affects both
IMO only updating lock file resulted in a mismatch between package files, and if the developer install or update new dependency, it could wipe out the patched in lock file (if they decide to remove lock file before relocking). An update to a dependency is typically is made to both files for that reason. |
Thanks for providing your manifest & lockfile, it's very helpful! First, I will note that GHSA-jf85-cpcp-j695 appears 3 times in the scan output:
(
Yes, I'll create a new issue to surface reasons for failure better. |
Thanks for filing issue #925 and the explanation.
osv-scanner was able to find the vulnerabilities, and fixed it in both package and package lock file, which is great! |
Hi folks, I ran into an issue when trying to patch a specific vulnerability via
vulns
filter yielded nothing. Reference: https://google.github.io/osv-scanner/experimental/guided-remediation/#vulnerability-selectionSteps to reproduce
osv-scanner -r .
, verify that vulnerability exists (e.g https://osv.dev/vulnerability/GHSA-xf7w-r453-m56c) in console output.osv-scanner fix --non-interactive --strategy=relock -M package.json -L package-lock.json --data-source native --vulns=GHSA-xf7w-r453-m56c
(trying with alias such asCVE-2019-13173
also failed).Is OSV Id different then one of the value above? Unrelated to the issue, but it would be nice to be able to filter on the alias (CVE Id) as well, as they're more popular.
The text was updated successfully, but these errors were encountered: