Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Packagist vulnerabilities are not being reported for some packages

See original GitHub issue

I’ve recently done an initial implementation for having osv-detector use the osv.dev api, but it looks like it’s not 1:1 with the offline databases, at least for Packagist.

Using this lockfile:

{
    "_readme": [
        "This file locks the dependencies of your project to a known state",
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
    "content-hash": "b63765525e5fabcf664728d548ecf8a2",
    "packages": [
        {
            "name": "enshrined/svg-sanitize",
            "version": "0.13.3",
            "source": {
                "type": "git",
                "url": "https://github.com/darylldoyle/svg-sanitizer.git",
                "reference": "bc66593f255b7d2613d8f22041180036979b6403"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/darylldoyle/svg-sanitizer/zipball/bc66593f255b7d2613d8f22041180036979b6403",
                "reference": "bc66593f255b7d2613d8f22041180036979b6403",
                "shasum": ""
            },
            "require": {
                "ext-dom": "*",
                "ext-libxml": "*"
            },
            "require-dev": {
                "codeclimate/php-test-reporter": "^0.1.2",
                "phpunit/phpunit": "^6"
            },
            "type": "library",
            "autoload": {
                "psr-4": {
                    "enshrined\\svgSanitize\\": "src"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "GPL-2.0-or-later"
            ],
            "authors": [
                {
                    "name": "Daryll Doyle",
                    "email": "daryll@enshrined.co.uk"
                }
            ],
            "description": "An SVG sanitizer for PHP",
            "time": "2020-01-20T01:34:17+00:00"
        }
    ],
    "packages-dev": [],
    "aliases": [],
    "minimum-stability": "stable",
    "stability-flags": [],
    "prefer-stable": false,
    "prefer-lowest": false,
    "platform": [],
    "platform-dev": []
}

❯ osv-detector-t --use-api --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
/mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
  no known vulnerabilities found

❯ osv-detector-t --use-dbs --parse-as composer.lock /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt
/mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt: found 1 package
  Loading OSV databases for the following ecosystems:
    Packagist (862 vulnerabilities, including withdrawn - last updated Fri, 13 May 2022 23:58:47 GMT)

  enshrined/svg-sanitize@0.13.3 is affected by the following vulnerabilities:
    GHSA-fqx8-v33p-4qcc: Cross-site Scripting in enshrined/svg-sanitize (https://github.com/advisories/GHSA-fqx8-v33p-4qcc)

  1 known vulnerability found in /mnt/c/Users/Gareth/Downloads/safe-svg-composer.lock.txt

The vulnerability here correctly lists says it affects versions below 0.15.0, but it’s not reported even if I use the version:

❯ curl -X POST -d '{"commit": "bc66593f255b7d2613d8f22041180036979b6403"}' 'https://api.osv.dev/v1/query'
{}
❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
{}
❯ curl -X POST -d '{"package": {"name": "enshrined/svg-sanitize", "ecosystem": "Packagist"}, "version": "0.13.3"}' 'https://api.osv.dev/v1/query'
{}

Going with the lowest version for this package doesn’t return anything either, when it should return three vulnerabilities.

(my current theory is that this because the advisory doesn’t have any versions, and the api isn’t checking against ranges?)

Issue Analytics

State:
Created a year ago
Comments:15 (6 by maintainers)

Top GitHub Comments

1reaction

oliverchangcommented, Jul 6, 2022

Closing this one as the required work is being tracked in https://github.com/google/osv.dev/issues/230.

1reaction

oliverchangcommented, May 16, 2022

Is that public somewhere? if so could you link me to it?

It’s at https://github.com/google/osv/blob/master/lib/osv/ecosystems.py

Top Results From Across the Web

PHP package manager component Packagist vulnerable to ...

Argument injection. The new bug comes a year after SonarSource discovered and reported another supply chain attack vulnerability in Packagist.

Critical Packagist Vulnerability Opened Door for PHP Supply ...

A severe vulnerability impacting Packagist could have been abused to mount supply chain attacks targeting the PHP community.

Security -- how are malicious or insecure Packagist packages ...

Say I'd discover that some person is sneaking in backdoors or purposely or not introducing exploits, how do I make sure the package...

Packagist PHP repo supply chain attack: 3 key takeaways

A vulnerability that threatened the security of millions of websites using the PHP scripting language has been patched, according to a security ...

Packagist vulnerability - PUPUWEB

Updated on 2022-10-05 SonarSource researchers said they found a vulnerability in Packagist, the repository for the PHP Composer package installer, which.