Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet 2023.35: Wrong vulnerability-mapping?



  • Hi,

    we came accross an issue in some of our projects which does not really make sense to us:
    1fe72c96-1096-4894-a0dd-c55c4f28e34a-image.png
    If I have a look at "@types/http-proxy 1.17.14" it does not show any vulnerability:
    e0f03f85-4af1-4d7b-8f26-1cb8bba9d8c4-image.png
    If I have a look at the vulnerability itself, it says that this vulnerability affects package "http-proxy <1.18.1":
    381a25ca-a39b-4377-8b0d-cddf4e4c5184-image.png

    Could it be possible that the scope of the package is not considered in vulnerability scanning, and that "@types/http-proxy 1.17.14" leads to "http-proxy 1.17.14"?

    Or is there any other reason for this vulnerability to show up in our projects?

    I hope you can clarify this issue for me.

    Best,
    Caterina


  • inedo-engineer

    Hi @caterina ,

    This issue looks very familiar, and I'm almost certain it's a bug we fixed/discovered while testing ProGet 2024 prior to release. Basically, the npm scope was not considered for vulnerability searches during build analysis.

    This should not happen in ProGet 2024.

    Thanks,
    Alana



  • Hi @atripp,

    thank you very much for clarifying this.
    We are not able to update to ProGet 2024 yet, so I will just resolve this issue manually for our projects.

    Thanks,
    Caterina


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation