Use new GitHub CVE ID

Question

Use new GitHub CVE ID

guillermaster opened this issue 3 years ago · 12 comments

Now that the NPM vulnerabilities advisory have been migrated to GitHub, the vulnerabilities identifier has changed. Vulnerabilities are now identified by a CVE ID that is an alphanumeric code, as you can see in this example Prototype Pollution in set-value.

I'm opening this issue so we can use the CVE ID in the list of ignored vulnerabilities instead of the long numeric value that is being used at the moment (i.e., 1002401) and that it's not identifiable when opening the advisory report on GitHub.

By the way, the recent updates on the package look great! Otsukaresama!

Answer 1 · 2021-10-15T14:02:31.000Z

hey @guillermaster! 👋🏻 Otsukaresamedesu!
😮 thanks for sharing this! I wasn't aware of it. Let me look into it ...

Answer 2 · 2022-02-28T07:43:13.000Z

Any updates on this? :)

Answer 3 · 2022-03-02T15:16:12.000Z

Hi @ocean89, sorry that I didn't post an update on this issue. The last time I checked, this would require a major rework in processing the security report and might need to handle existing numeric values for backward compatibility. At the moment I don't have much capacity to work on it and would appreciate it if anyone can help with this

Answer 4 · 2022-03-07T16:51:25.000Z

I did put in a PR for a first crack at implementing this. I'm sure it could use some polishing but may be a good starting point.

#73

Answer 5 · 2022-03-09T13:42:00.000Z

This change is essentially required for this package to continue to be useful and I think it should be prioritized. The IDs provided by npm audit have been changing rapidly over the past few days; in some cases I've seen a vulnerability have three or four different IDs

Answer 6 · 2022-03-10T11:26:10.000Z

I agree to prioritize this, perhaps there is no feasible solution to support the v7 report now (due to lack of info provided in the audit report), but let's focus on v6 support first 👍🏻

Answer 7 · 2022-03-10T18:02:41.000Z

hey all, I've published the beta version (or v3.7.0) for supporting CVE, CWE, GHSA, and URL IDs. Please try it out and let me know if there is an issue, otherwise, I will republish it under the latest tag next week.

Thank you all again for this amazing support 👍🏻

Answer 8 · 2022-03-10T18:52:24.000Z

Thank you @jeemok for the update and this great project!

Answer 9 · 2022-03-10T19:20:54.000Z

Thank you @jeemok for addressing this so promptly. Your comment says that CVEs are supported, but I haven't found this to be the case. Is CVE support only available for npm v6?

I can confirm that v3.7.0 does allow me to add exceptions using GHSAs on npm v8.1.0

Answer 10 · 2022-03-11T01:15:48.000Z

you're right @ZedLove, I will update the README to describe more in detail what is supported; in summary:

npm v6: supports ID (numeric), CVEs, CWE, URL (if it contains GHSA ID)
npm v7+: supports ID (numeric) & URL (if it contains GHSA ID)

you can refer to these two functions that handle v6 and v7+ advisory for what it checks:

Answer 11 · 2022-03-11T18:47:53.000Z

@jeemok I've noticed that, despite ignoring the advisories based on GHSA IDs, I am still seeing the notice about the IDs not matching any found vulns

e.g.

🤝  All good!
8 of the excluded vulnerabilities did not match any of the found vulnerabilities:

Answer 12 · 2022-03-19T16:19:30.000Z

hey @ZedLove, I've updated the unused exception handler and published it under v3.7.1. Please have a try and let me know if there is an issue :)

the version v3.7.1 is published under the latest tag, I'll mark this issue closed. Thank you all for your contribution to this!