Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan manifest files as well (not just lockfiles) #416

Open
another-rex opened this issue Jun 19, 2023 · 6 comments
Open

Scan manifest files as well (not just lockfiles) #416

another-rex opened this issue Jun 19, 2023 · 6 comments
Labels
backlog Important but currently unprioritized enhancement New feature or request

Comments

@another-rex
Copy link
Collaborator

Add the ability to scan manifest files e.g. package.json in addition to package-lock.json. Possibly using deps.dev dependency graph data to scan transitive dependencies.

Motivation: Some projects don't check in their package-lock.json files, breaking automated repo scanning that's done by projects like scorecard. E/.g see #410

Related #352
@another-rex another-rex added the enhancement New feature or request label Jun 19, 2023
@another-rex another-rex mentioned this issue Jun 19, 2023
Closed
@seelder seelder mentioned this issue Dec 14, 2023
Closed
@spencerschrock
Copy link
Contributor

Would this also help with cases where the project being analyzed is the one with vulnerabilities (as opposed to dependencies)?

For example, consider the archived npm package parsejson, which has an advisory against it.

$ osv-scanner -r .
Scanning dir .
Scanning /tmp/parsejson/ at commit d2986dc30989377409102516ecdebbfd06cbf28f
No issues found

Or is osv-scanner intended to be used only to find vulns in your dependencies, not in the project being analyzed?

@another-rex
Copy link
Collaborator Author

It'll be good to add support to find vulns in the project being analyzed. The only way we are doing it currently is by git commit, which we only really enumerate for C/C++ advisories, which is why osv-scanner did not return a result.

Couple issues I can think of:

  • If we scan the package.json/package-lock.json, and it returns a vulnerable version, since it's a project you are editing, it could have been already patched, just the version has not been bumped up yet, but maybe that's an expected behavior.
  • A local package name (that has not been published) might be the same as a published package, but that doesn't mean they are the same package, and this false positive matching could be pretty common.

@spencerschrock spencerschrock mentioned this issue Mar 18, 2024
Open
@cuixq cuixq mentioned this issue Jun 3, 2024
Open
@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Jul 22, 2024
@cuixq cuixq mentioned this issue Jul 30, 2024
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2024

Automatically closing stale issue

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 5, 2024
@cuixq cuixq added backlog Important but currently unprioritized and removed stale The issue or PR is stale and pending automated closure labels Aug 6, 2024
@cuixq cuixq reopened this Aug 6, 2024
@andrewpollock
Copy link
Contributor

Motivation: Some projects don't check in their package-lock.json files, breaking automated repo scanning

Silly question: why not just generate the package-lock.json at scan time? Is the desire to not have to clone the repo and do this?

@cuixq
Copy link
Contributor

cuixq commented Sep 16, 2024

I think to generate the lockfile at scan time is more like "relock" - the generated lockfile may be different.

@another-rex another-rex mentioned this issue Sep 18, 2024
Open
@G-Rath G-Rath mentioned this issue Oct 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Important but currently unprioritized enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@spencerschrock @andrewpollock @cuixq @another-rex