Dependabot-core: Dependabot wont recognise package with vulnerability from WhiteSource Vulnerability Database

Created on 13 Jan 2021  路  3Comments  路  Source: dependabot/dependabot-core

I created this issue a while back but since the issue stills remain I would like to put some light on it.

Package manager/ecosystem
JavaScript

Manifest contents prior to update
yarn.lock
package.json

Description

One of hour packages, hellojs, is flagged with a vulnerability in WhiteSource Vulnerability Database all version below 1.18.6 is affected. However dependabot won't recognise this vulnerability. You could go to WhiteSource Vulnerability Database and search for CVE-2020-7741.

I have created a repo where I can reproduce the issue. I have added hellojs and jquery at a version that has a vulnerability. We can see that dependabot finds the jquery vulnerability and creates a PR but not for hellojs.

Is this a bug or have I missed something?

bug 馃悶
Source
picture christoferolaison

All 3 comments

The WhiteSource db is not a source for Dependabot security updates, the advisory will have to be ingested in the GitHub Advisory DB. Our advisories team curates the data that is ingested in that DB, and they might be a little behind in this case.

I'll check with the team that curates these and will get back to you

jurre picture jurre on 13 Jan 2021
👍1

I see that this has been highlighted now here: https://github.com/advisories/GHSA-7jh9-6cpf-h4m7

JohanBengtsson picture JohanBengtsson on 13 Jan 2021

@christoferolaison thanks for the clean repository that reproduces this issue!

Since https://github.com/christoferolaison/depandabot-test/pull/2 is open, this was just lag curating this specific CVE. Thanks for flagging it.

thepwagner picture thepwagner on 15 Jan 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AArnott picture AArnott  路  4Comments
tjwallace picture tjwallace  路  3Comments
bennycode picture bennycode  路  3Comments
v1sion picture v1sion  路  3Comments
qnighy picture qnighy  路  4Comments