Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: Not detecting correctly npm merge vulnerability #410

Closed
gabibguti opened this issue Jun 14, 2023 · 2 comments
Closed

BUG: Not detecting correctly npm merge vulnerability #410

gabibguti opened this issue Jun 14, 2023 · 2 comments

Comments

@gabibguti
Copy link

Describe the bug

OSV Scanner is not identifying correctly the vulnerabilities for https://github.com/airbnb/lottie-web case. OSV Scanner reports different results then npm audit, which is the npm command to identify security vulnerabilities in the project dependencies as per npm documentation. While npm audit reports GHSA-7wpw-2hjm-89gp as a vulnerability, OSV Scanner reports no vulnerabilities, even though this vulnerability is in the database.

Reproduction steps

Having in mind that Scorecard uses OSV Scanner to identify vulnerabilities, getting Scorecard results on vulnerabilities for airbnb/lottie-web, we have:

  1. Run Scorecard v4.10.5 for https://github.com/airbnb/lottie-web using --repo or --npm flag
  2. Check Vulnerabilities scores 10

And getting npm results on vulnerabilities for airbnb/lottie-web, we have:

  1. Checkout to https://github.com/airbnb/lottie-web repository
  2. In your machine, run npm ci to install dependencies
  3. In your machine, run npm audit to identify vulnerabilities
  4. See that npm audit reports 1 vulnerability: GHSA-7wpw-2hjm-89gp

Additional context

In airbnb/lottie-web's case, the vulnerability occurs because package.json lists watch dependency, which depends on exec-sh, which depends on merge. merge is the npm package containing the vulnerability. The possible edge case here is that there's no package-lock.json and package.json lists the dependency on watch to a range of 1.0.2 or higher, as seen here. The problem here is that the latest available version of watch is 1.0.2 and it's unlikely there will be new releases. Therefore, whomever installs the package.json dependencies right now, will install a vulnerable watch version. IMO, that should be identified as a vulnerability.

Complementing the problem, watch is unlikely to receive new releases because there hasn't been any releases or commits in the past 5 years. It's pretty much abandoned.

For reference on watch:
@another-rex
Copy link
Collaborator

We scan package-lock.json instead of package.json files, which is why it can't see the merge dependency, though with guided remediation capabilities coming to osv-scanner (#352) we will be getting the ability to scan package.json, and get the merge dependency from the graphs provided by https://deps.dev.

It also looks like the package has only devDependencies, which could be why there is no package-lock.json, and also makes the vulnerability seems to be unexploitable in this case? (Still good to have the option to scan package.json though).

@another-rex another-rex mentioned this issue Jun 19, 2023
Open
@another-rex
Copy link
Collaborator

Created a tracking issue for this feature: #416, closing in favor of that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gabibguti @another-rex