-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive detection of a vulnerability that has been fixed #676
Comments
@AgustinBettati Thank you for reporting this issue. After spending a bit of time trying to find out how vulnerabilities work in pinned SHAs, I don't think Dependency Review Action has a great answer to offer here. Suppose we have an Action with two commits:
How do we know that version I looked into the vulnerability ranges GitHub reports for this Action, and it reports that this vulnerability affects all versions @jonjanego Pinning SHAs is one of the recommended security practices. Do you know if/how Dependency Graph or other supply chain products in GitHub do version comparisons against SHAs to find vulnerabilities? |
A bit more triage info:
The DR API endpoint is wrongly reporting that |
@febuiles thank you for the updates here. |
@AgustinBettati Sorry for the confusion. There's nothing wrong with the |
I've merged a fix today for the API issue. We should no longer consider pinned shas to be comparable versions. |
Problem statement
We have a PR check that is currently failing as it detects there is a vulnerability in the version that is being updated.
This however does not seem accurate, as the version of tj-actions/verify-changed-files is being bumped from 58f5ac78e19e6cc3fb9d4048ae1a13bf364fa983 to 5ef175f2fd84957530d0fdd1384a541069e403f2 (latest commit at the time), while the fix for the mentioned vulnerability (GHSA-ghm2-rq8q-wrhc) was fixed in a commit previous to both of these 2acec78834cc690f70b3445712363fc314224127.
Given that the pinned sha already has the fix I would expect to not have this vulnerability failure.
The text was updated successfully, but these errors were encountered: