BUG dagster false positive of MAL-2024-7846

[rs-aewag]

Describe the bug
OSSF scorecard result lists false positive vulnerability MAL-2024-7846 for the dagster repository - for example deps.dev does not list it for the PyPI packages.

[spencerschrock]

This is triggering from /docs/yarn.lock, which has a dependency on dagster-docs, and is sourced from the malicious packages repository: https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dagster-docs/MAL-2024-7846.json

You can report false positives via the malicious packages repository.
https://github.com/ossf/malicious-packages?tab=readme-ov-file#false-positives

cc @calebbrown

[calebbrown]

I think this is a scorecard bug.

A malicious dagster-docs was uploaded to NPM and taken down.

From the /docs/yarn.lock file it indicates that the dagster-docs it is using is not an NPM package, but a local package:

"dagster-docs@workspace:.":
  version: 0.0.0-use.local
  resolution: "dagster-docs@workspace:."

I think the yarn.lock parsing should be able to distinguish between @npm and @workspace.

[spencerschrock]

I think this is a scorecard bug.

Which is actually an osv-scanner (or rather osv-scalibr) bug. I can file something upstream