Skip to content

Question: problem with npm importer or something else? #488

Open
@kipz

Description

@kipz
Contributor

We're running a vulnerablecode instance here https://vulnerablecode.atomist.com/, and have been doing some spot-checks on the data, and often see confusing results.

Take for example: https://nvd.nist.gov/vuln/detail/CVE-2021-32640

This was reported by Github, and is present on npmjs.org too.

However, a search for this on our vulnerablecode instance (on which we've run all the importers), doesn't show the npmjs package, just the debian ones (no purl with name ws, just node-ws)

https://vulnerablecode.atomist.com/vulnerabilities/20110

I'm curious about whether this is expected or are there bugs somewhere in the importers? Perhaps one importer is overwriting data from another? Or perhaps the npm importer isn't storing any data?

FWIW: running npm audit on a project with an old version of ws does suggest an upgrade, and this uses the same APIs as the npm importer AFAIK.

Any insights would be much appreciated.

Activity

pombredanne

pombredanne commented on Jun 17, 2021

@pombredanne
Member

@kipz Thanks for the detailed report. It looks like a bug for sure. Let me try to reproduce on a fresh instance

Hritik14

Hritik14 commented on Jun 25, 2021

@Hritik14
Collaborator

I've looked into it and this is because currently our npm importer fetches the data from https://github.com/nodejs/security-wg which doesn't contain the required advisory. The said repository is not handling ecosystem vulnerabilities. There appears to be an ongoing discussion regarding this.

In short, the advisory data from nodejs is different from that of npm.
Ironically, we had #101 for collecting npm advisories which was closed in favor of the nodejs advisories.

We could either:

  • Mark current importer as nodejs only and create a separate importer for npm or
  • Merge both nodejs and npm in the current importer

Further, there might be a problem with debian importer as the reported purl mentions pkg:deb/debian/node-ws@1.1.0 which should be unrelated to the affected versions mentioned in the github advisory. This could be a result of #140

sbs2001

sbs2001 commented on Jul 6, 2021

@sbs2001
Collaborator

@Hritik14 I get the feeling that nodejs-wg is abandoned last updated -> 3 months ago. Let's keep it as it is for awhile, meanwhile your (1) approach makes sense.

The won't be much work since the schemas both sources are indentical. See #228

pombredanne

pombredanne commented on Jul 8, 2021

@pombredanne
Member

I guess that there may be some slow down per nodejs/security-wg#662 and we likely want to use both sources of https://registry.npmjs.org/-/npm/v1/security/advisories and https://github.com/nodejs/security-wg rather than just one in this case.

pombredanne

pombredanne commented on Jul 8, 2021

@pombredanne
Member

Actually the problem may be deeper than this: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7 ... this is basically close sourcing this source of npm issues at Snyk from the face of it.
So IMHO:

  1. keep what we have and ensure we collect all
  2. possibly archive some of the raw upstream data
  3. we need more and more to ensure that we can cross ref these vulnerabilities to multi-source them IMHO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @pombredanne@kipz@Hritik14@sbs2001

        Issue actions

          Question: problem with npm importer or something else? · Issue #488 · aboutcode-org/vulnerablecode