-
-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update 'isExcepted' to check for CVE id #73
Conversation
I stumbled across this looking for alternatives due to IBM/audit-ci#211. I think you're going to need to look at the advisory URL; not just the CVEs. There are at least some vulnerabilities that don't get assigned CVEs. See this comment on the audit-ci issue:
|
@leedm777, good point. Maybe even the |
I don't see
That's entirely unclear, and probably an unintended consequence. The changing ids feels like a bug, but I'm not even sure where to report it. What I observe changing is the |
@kyleclark1824 the solution looks good, it will be very useful to have it merged soon. For some odd reason, those are IDs being currently used are changing frequently. |
6b1995c
to
296c681
Compare
This patch only fixes npm v6 handling. npm v7 and newer doesn't even list the CVE in the JSON output; at least not with npm v8.3.1 😕 |
Yeah @leedm777, I was worried about that as well. This "fix" shouldn't hurt in those cases but a full fix would definitely be required. I'll see if I can find the JSON output for the other versions and add a more robust fix. Probably poke at it tonight. I'm not seeing |
296c681
to
3cdbfa6
Compare
@leedm777, I added some more conditions. The issue with I updated to check 4 places:
There are still cases where a v8 vuln (maybe 7?) will not "find" a matching ID with this logic but this gives us much more options for ways to add exceptions. Below is an example of one of those cases using npm@latest
|
hey @kyle-clark1824, thanks for initiating this change! let's work on this in a separate branch |
if (cur.id && exceptionIds.includes(Number(cur.id)) || // NPM v6 contains 'id's to use | ||
(cur.cves && exceptionIds.filter(id => cur.cves.includes(id)).length > 0) || // NPM v6 can also have an array of cve id's | ||
(cur.via && cur.via[0].source && exceptionIds.includes(Number(cur.via[0].source))) || //auditReportVersion: 2. Check via.source for id | ||
(cur.via && cur.via[0].url && exceptionIds.filter(id => cur.via[0].url.contains(id)).length > 0 )) //auditReportVersion: 2. Check via.url for github id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems to be v7/v8 report structure, might need to move this checking to below v7 handling
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @jeemok. Yup I would say the v7/8 work should be down with the v7 handling, sorry about that! Glad you're able to take a look, I was really just hoping to get some ideas out there on how we could improve the ID stability a bit.
let me merge this in first and help with the eslint issue and adding unit tests, etc. |
Sounds good @jeemok thanks! |
Making this PR because every time a vulnerability get's updated the ID seems to change. So I constantly have to update my .nsprc file with the new ID.
It looks like the JSON output from the audit contains a
cves
property with the GitHub CVE ID's. So would something like this work?So if we don't have a match to the cur.id check the cve id's. Not ideal having numeric a non-numeric ID's but that should allow the CVE ID to be used in the .nsprc as well as the other standard ID's.
Related issue: #60