1. Home
  2. Categories
  3. Support
  4. Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable)

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable)

  • S

    Hi there,

    I'm not sure if this is a ProGet issue, a problem with the ProGet Vulnerabilities Database or something completely different, so I'm just going to post my observation.

    The npm package tree-kill has been flagged as vulnerable in all versions - including the latest version 1.2.2 - due to PGV-22381O7:

    ea63dabe-aea2-4c30-9d56-09f718ba1fbc-grafik.png
    d8ad1917-c798-4f53-8aa5-c46a6eefeeb2-grafik.png

    There are several problems with this.

    First of all, as you can see on the second screenshot, that vulnerability has been withdrawn, which raises the first question: How should ProGet handle withdrawn vulnerabilities?

    However, the main problem here is that PGV-22381O7 claims that "all" versions of tree-kill are affected:

    85fc1aa9-7a37-4a4c-98e4-25bae0705f9f-grafik.png

    That statement is incorrect. In fact, tree-kill fixed the problem with version 1.2.2.

    PGV-22381O7 seems to be based on https://github.com/advisories/GHSA-mxq6-vrrr-ppmg, which is a duplicate of https://github.com/advisories/GHSA-884p-74jh-xrg2. While the first one only claims that versions <= 1.2.1 are affected (but does not display any information on patched versions), the second one clearly states that version 1.2.2has been patched:

    c62a00ed-042b-4805-9a93-889d58f35184-grafik.png

    1ed13589-ecc6-4b7c-a6d0-dcaeeaf96834-grafik.png

    One more thought on this: Is it generally a good idea to flag "all version" of a package as vulnerable? Wouldn't that affect any future version of that package as well, regardless of whether it has been patched or not? Or is the idea that those entries will be updated as soon as there is a patched version of the package?

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @sebastian,

    Thanks for sharing this...

    I don't really know the answer, but I searched for "tree-kill" on Inedo Security Labs, and found three results:

    We can see that PGV-22381O7 does say it "affects tree-kill (npm), versions (all)", so that's where the data is coming from in ProGet. My guess is that it's a data update/aggregation problem, maybe related to the Withdrawn status?

    There is apparently some use case for all as a version, and I guess it's exactly what you specified? A lot of Redhat/Linux system packages have all versions and get updated later.

    Anyway, ISL is managed by a different team, so I'll submit an internal request to review. It doesn't seem so urgent, just inconvenient/incorrect and easy to workaround in ProGet. But let me know if I misread that.

    As for "Withdrawn" vulnerabilities... we're open to ideas for what to change in ProGet 2025. There used to just be a handful, but there are a lot more now. Our original was to just delete them from ProGet, but instead we just showed the icon. Maybe we should delete them.

    Thanks,
    Alana

    0 S 1 Reply
  • S

    @atripp said in Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable):

    Anyway, ISL is managed by a different team, so I'll submit an internal request to review. It doesn't seem so urgent, just inconvenient/incorrect and easy to workaround in ProGet. But let me know if I misread that.

    You are correct; it's not an urgent problem, because I can just choose a different assessment for that entry (we have a special assessment "Manually Unblocked" for cases like that). The other two entries are correct (i.e. they display the affected version as < 1.2.2 or <= 1.2.1).

    As for "Withdrawn" vulnerabilities... we're open to ideas for what to change in ProGet 2025. There used to just be a handful, but there are a lot more now. Our original was to just delete them from ProGet, but instead we just showed the icon. Maybe we should delete them.

    My guess is that PGV-22381O7 wasn't updated after it was withdrawn, so when version 1.2.2 of the package was released (and GHSA-mxq6-vrrr-ppmg updated "affected versions" to <= 1.2.1; again, I'm just guessing that that's what happened), the PGV entry didn't really reflect that.

    It would expect one of the following two things to happen with withdrawn vulnerabilities:

    1. The team at Inedo Security Labs should update withdrawn packages, especially when they flag "all" versions of a package as vulnerable.

    2. There should be a special treatment for withdrawn vulnerabilities within ProGet. Maybe not deleting them (because I'm pretty sure there will be cases where I will be looking at a package and think "I swear this one had a vulnerability, but now I can't find it?" 😂 ), but maybe auto-assess a special status to it.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    @sebastian said in Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable):

    There should be a special treatment for withdrawn vulnerabilities within ProGet. Maybe not deleting them (because I'm pretty sure there will be cases where I will be looking at a package and think "I swear this one had a vulnerability, but now I can't find it?" ), but maybe auto-assess a special status to it.

    That's what we were worried about as well, having them dissapear. Perhaps we just delete ones without assessments, and if you set a withdrawn vulnerability unassessed, it gets deleted 🤔

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation