8000 VCIO-next: Do not report ghost package as a fix for vulnerability by keshav-space · Pull Request #1679 · aboutcode-org/vulnerablecode · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

VCIO-next: Do not report ghost package as a fix for vulnerability #1679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Dec 3, 2024

Conversation

keshav-space
Copy link
Member
@keshav-space keshav-space commented Nov 20, 2024

UI: Package Details

Before After
Screenshot from 2024-11-20 16-02-29 Screenshot from 2024-11-20 16-02-57

UI: Vulnerability Details

Before After
Screenshot from 2024-11-20 18-18-02 Screenshot from 2024-11-20 18-18-29

UI: Package Details with Latest/Next non-vulnerable

Before After
Screenshot from 2024-11-22 13-29-56 Screenshot from 2024-11-22 13-30-10

APIv1: /api/vulnerabilities

Before After
Screenshot from 2024-11-20 18-23-45 Screenshot from 2024-11-20 18-24-25

APIv1: /api/packages

Before After
Screenshot from 2024-11-20 18-25-04 Screenshot from 2024-11-20 18-25-21

APIv2: /api/v2/packages with latest/next non-vulnerable

Before After
Screenshot from 2024-11-22 13-25-50 Screenshot from 2024-11-22 13-28-33

APIv2: /api/v2/packages with ghost fixing_vulnerabilities

Before After
Screenshot from 2024-11-22 13-31-25 Screenshot from 2024-11-22 13-34-41

Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Copy link
Contributor
@TG1999 TG1999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@TG1999 TG1999 merged commit c21bf1f into main Dec 3, 2024
10 checks passed
@keshav-space keshav-space deleted the 1650-ghost-cant-fix branch December 3, 2024 16:20
@pombredanne pombredanne changed the title Do not report ghost package as a fix for vulnerability VCIO-next: Do not report ghost package as a fix for vulnerability Dec 23, 2024
@keshav-space
Copy link
Member Author

To test this, search for pkg:maven/log4j/log4j@2.17.0 https://public.vulnerablecode.io/packages/pkg:maven/log4j/log4j@2.17.0, it is no longer reported as fixed for the vulnerability since it's a ghost package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Development

Successfully merging this pull request may close these issues.

Ghost package should not be reported as a fix for vulnerability
2 participants
0