Use new GitHub CVE ID about better-npm-audit HOT 12 CLOSED

This change is essentially required for this package to continue to be useful and I think it should be prioritized. The IDs provided by npm audit have been changing rapidly over the past few days; in some cases I've seen a vulnerability have three or four different IDs

from better-npm-audit.

Thank you @jeemok for the update and this great project!

from better-npm-audit.

Hi @ocean89, sorry that I didn't post an update on this issue. The last time I checked, this would require a major rework in processing the security report and might need to handle existing numeric values for backward compatibility. At the moment I don't have much capacity to work on it and would appreciate it if anyone can help with this

from better-npm-audit.

hey all, I've published the beta version (or v3.7.0) for supporting CVE, CWE, GHSA, and URL IDs. Please try it out and let me know if there is an issue, otherwise, I will republish it under the latest tag next week.

Thank you all again for this amazing support 👍🏻

from better-npm-audit.

you're right @ZedLove, I will update the README to describe more in detail what is supported; in summary:

• npm v6: supports ID (numeric), CVEs, CWE, URL (if it contains GHSA ID)
• npm v7+: supports ID (numeric) & URL (if it contains GHSA ID)

you can refer to these two functions that handle v6 and v7+ advisory for what it checks:

• v6: https://github.com/jeemok/better-npm-audit/blob/beta/src/utils/vulnerability.ts#L51
• v7: https://github.com/jeemok/better-npm-audit/blob/beta/src/utils/vulnerability.ts#L77

from better-npm-audit.

@jeemok I've noticed that, despite ignoring the advisories based on GHSA IDs, I am still seeing the notice about the IDs not matching any found vulns

e.g.

🤝  All good!
8 of the excluded vulnerabilities did not match any of the found vulnerabilities:

from better-npm-audit.

hey @ZedLove, I've updated the unused exception handler and published it under v3.7.1. Please have a try and let me know if there is an issue :)

the version v3.7.1 is published under the latest tag, I'll mark this issue closed. Thank you all for your contribution to this!

from better-npm-audit.

hey @guillermaster! 👋🏻 Otsukaresamedesu!
😮 thanks for sharing this! I wasn't aware of it. Let me look into it ...

from better-npm-audit.

Any updates on this? :)

from better-npm-audit.

I did put in a PR for a first crack at implementing this. I'm sure it could use some polishing but may be a good starting point.

#73

from better-npm-audit.

I agree to prioritize this, perhaps there is no feasible solution to support the v7 report now (due to lack of info provided in the audit report), but let's focus on v6 support first 👍🏻

from better-npm-audit.

Thank you @jeemok for addressing this so promptly. Your comment says that CVEs are supported, but I haven't found this to be the case. Is CVE support only available for npm v6?

I can confirm that v3.7.0 does allow me to add exceptions using GHSAs on npm v8.1.0

from better-npm-audit.