Description
We're running a vulnerablecode instance here https://vulnerablecode.atomist.com/, and have been doing some spot-checks on the data, and often see confusing results.
Take for example: https://nvd.nist.gov/vuln/detail/CVE-2021-32640
This was reported by Github, and is present on npmjs.org too.
However, a search for this on our vulnerablecode instance (on which we've run all the importers), doesn't show the npmjs package, just the debian ones (no purl with name ws
, just node-ws
)
https://vulnerablecode.atomist.com/vulnerabilities/20110
I'm curious about whether this is expected or are there bugs somewhere in the importers? Perhaps one importer is overwriting data from another? Or perhaps the npm importer isn't storing any data?
FWIW: running npm audit
on a project with an old version of ws
does suggest an upgrade, and this uses the same APIs as the npm importer AFAIK.
Any insights would be much appreciated.
Activity
pombredanne commentedon Jun 17, 2021
@kipz Thanks for the detailed report. It looks like a bug for sure. Let me try to reproduce on a fresh instance
Hritik14 commentedon Jun 25, 2021
I've looked into it and this is because currently our npm importer fetches the data from https://github.com/nodejs/security-wg which doesn't contain the required advisory. The said repository is not handling ecosystem vulnerabilities. There appears to be an ongoing discussion regarding this.
In short, the advisory data from nodejs is different from that of npm.
Ironically, we had #101 for collecting npm advisories which was closed in favor of the nodejs advisories.
We could either:
Further, there might be a problem with debian importer as the reported purl mentions
pkg:deb/debian/node-ws@1.1.0
which should be unrelated to the affected versions mentioned in the github advisory. This could be a result of #140sbs2001 commentedon Jul 6, 2021
@Hritik14 I get the feeling that nodejs-wg is abandoned last updated -> 3 months ago. Let's keep it as it is for awhile, meanwhile your (1) approach makes sense.
The won't be much work since the schemas both sources are indentical. See #228
pombredanne commentedon Jul 8, 2021
I guess that there may be some slow down per nodejs/security-wg#662 and we likely want to use both sources of https://registry.npmjs.org/-/npm/v1/security/advisories and https://github.com/nodejs/security-wg rather than just one in this case.
pombredanne commentedon Jul 8, 2021
Actually the problem may be deeper than this: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7 ... this is basically close sourcing this source of npm issues at Snyk from the face of it.
So IMHO: