Dependency files should always be scanned

Question

Dependency files should always be scanned

Closed this issue 2 years ago · 7 comments

Issue

I ran osv-scan directly against my project, and it detected 4 vulnerable packages, but betterscan didn't find any. I expected the scan reports to match.

npm vulnerability scans.zip

I also included results for OWASP depedency-check in the zipfile since it provided similar results to osv-scan, but osv-scan has been more thorough in my testing against node.js and nuget projects.

Theory

I'm wondering if the issue I'm seeing is that the package-lock.json was updated in a commit that had been scanned before BetterScan added the osv-scan tool. It takes hours to run BetterScan against all commits in the repo, so I have not attempted to verify this yet.

Version Info

I used the latest version of all of these tools as of today, 1/10/2023.

Answer 1 · 2023-01-10T18:10:37.000Z

@carlin-q-scott Away from the keyboard. Theoretically you can modify the file package-lock.json or remove it from state db

Osv-scanner should be working, as well as others.

Answer 2 · 2023-01-10T18:42:21.000Z

I just created a repo with only the package-lock.json and it did detect the vulnerable packages. I don't love the info in the report though, as it doesn't even mention the vulnerable package or package version. It's just the ID of the vulnerability report. I can Google that to get the vulnerability details though. It would be nice if it linked to the vulnerability report at least.

This has revealed a shortcoming to me of the design philosophy of this tool. As new vulnerabilities are discovered for existing dependencies, those vulnerabilities won't be detected until I update a dependency for the impacted project.

Answer 3 · 2023-01-10T19:12:11.000Z

@carlin-q-scott It can be adjusted to always scan dependencies dbs i.e package-lock.json and others. This could address it. What do you think?

More details can be also added to description field, everything can be extracted.

I will look into it as time permits, PRs are also welcome.

Will rethink to make it better in PRO version

Answer 4 · 2023-01-12T17:44:29.000Z

I like your idea of always scanning dependency files. That alleviates my main concern in this issue.

I can open separate issues calling out various fields I'd like to see in my BetterScan report; issue per scanner? And if I have time I'll look into implementing those improvements myself.

Answer 5 · 2023-01-12T17:46:36.000Z

For the sake of efficiency, I'd imagine it would be best to only scan head for dependency issues, rather than each commit snapshot.

Answer 6 · 2023-01-13T18:30:57.000Z

This is working for new repositories, but not existing repositories that already have scan data for the dependency files. How easy would it be to write a python script to purge scan results for the dependency files?

Answer 7 · 2023-01-15T08:53:16.000Z

Thank you @carlin-q-scott

I think you can either modify each lockfile (new line or something?), maybe 2 commits, one modification other revert? maybe easier to do or go through state database and remove entries for package files.

If you can contribute with a script, could be great (possibly also for other state db mangling)