Comments (10)
bh86
commented on June 12, 2024
1
So the issue seems to only happen when the project type is not specified. I am working on a fix for this regardless given some projects have multiple dependency types.
Thanks Caroline! Indeed, I don't specify any project type because usually my sbom file contains multiple package types.
By looking at the source code, it seems the project type argument is somehow mandatory to get correct results. My assumption was that you extract the project type from the purl.
from dep-scan.
cerrussell
commented on June 12, 2024
1
@ashemedai @bh86 @yossipik I've put out a fix on the linked branch. Please test it out and let me know how it goes!
from dep-scan.
yossipik
commented on June 12, 2024
1
works! thanks for fixing it
from dep-scan.
prabhu
commented on June 12, 2024
@ashemedai Thank you for a reproducible test case. We will investigate and update here.
from dep-scan.
bh86
commented on June 12, 2024
I have the same issue. For examples:
pkg:npm/[email protected]->CVE-2020-15133(Ruby version).pkg:pypi/[email protected]->CVE-2022-35977(Redis itself, not the py client).pkg:npm/[email protected]->CVE-2022-32511(Ruby version).
from dep-scan.
yossipik
commented on June 12, 2024
We have a similar issue with many vulns - here are some examples
pkg:pypi/[email protected] -> all CVEs related to K8S
pkg:pypi/[email protected] -> all CVEs related to ES
pkg:npm/[email protected] ->
* CVE-2022-28948
* CVE-2021-4235 (Go)
* CVE-2022-3064 (Go)
* pkg:npm/[email protected] ->
* CVE-2018-1002207 (Go version)
* CVE-2019-10743
* pkg:pypi/[email protected] -> CVE-2023-34617 (java)
* pkg:npm/firebase/[email protected] -> CVE-2021-20291 (Go version)
* pkg:npm/[email protected] -> CVE-2017-18589 (Rust)
Do you have an ETA for fixing this?
Thanks!
from dep-scan.
prabhu
commented on June 12, 2024
@bh86 @yossipik we might need a way to reproduce this. Could you join our discord and share a sample project or sbom?
from dep-scan.
cerrussell
commented on June 12, 2024
So the issue seems to only happen when the project type is not specified. I am working on a fix for this regardless given some projects have multiple dependency types.
from dep-scan.
prabhu
commented on June 12, 2024
Please retest with the 4.2.1 release.
from dep-scan.
prabhu
commented on June 12, 2024
Thank you for the confirmation! Please share your love on social media.
from dep-scan.
Related Issues (20)
- Feature: 1. more complete report in json and cyclonedx-json. 2. error when get sbom from trivy or syft. HOT 6
- Bug: cvss score is appearing as 0 from certain CVEs HOT 3
- Bug: cvss score for pypi vulnerabilities are incorrect HOT 1
- Bug: Pypi misses
- Feature: nu plugin
- Feature: pyproject.nix poc
- Feature: Support for nix packages
- [v6] Support for cpe based searches
- [v6] Prefer xz vdb over rafs
- Feature: VDB update frequency information HOT 2
- False-Positive: CVE-2020-14343 HOT 9
- False-Positive: CVE-2021-39913 HOT 7
- [FN] CVE-2023-5590 is not reported for [email protected] HOT 1
- False-Positive: I raised the topic on discord. I compared the DT, Depscan, and Grype analyzers. The results are presented in the table. I think it will be useful for correcting the quality of the analysis. HOT 1
- [dotnet] Runtime components naming
- [cdxgen 10.3.x] Breaking changes in cdxgen for go and npm HOT 1
- cargo:http is yielding a lot of false positives
- Bug: Reachability scan fails HOT 3
- [risk-audit] Detect use of Trusted publisher
- [container] almalinux 9.3 builds are broken
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dep-scan.