Confusing security reports #15214
Unanswered
mcandre
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Dependabot shows conflicting information on the basic status of vulnerabilities.
I'm getting email alerts AND open security alert tickets, YET when I investigate, dependabot remarks that the vulnerability is already patched. How am I supposed to interpret that? Which part of the system is correct? Screenshot:
If the security issue is fixed, then please go ahead and automatically close (resolve) the ticket. Don't bug me with email reports for things that are already resolved, either.
Just to add further confusion, dependabot doesn't always behave the same way in the security tickets. Sometimes it doesn't even recognize that the version has been updated in the project:
At least two things appear to be broken in dependabot:
Beta Was this translation helpful? Give feedback.
All reactions