Snyk vulnerability range for unfixed vulnerabilities
See original GitHub issueSummary
Hi š
My name is Amotz, working for Snyk.
I wanted to update you that we are revisiting our current method for providing ranges for unfixed vulnerabilities, as part of a standardization effort we are doing in this area.
See https://github.com/GoogleChrome/lighthouse/issues/8748 for context.
In cases of unfixed vulnerabilities, weād like to provide *
as the range, and, if necessary, have it resolved on LH side to a specific version range (e.g. <=x.y.z
), instead of resolving it on our side.
We still donāt have clear timeline for this, but wanted to give you heads up and start a discussion.
Issue Analytics
- State:
- Created a year ago
- Comments:5
Top Results From Across the Web
Breaking down the 'critical' OpenSSL vulnerability - Snyk
The most deployed version of OpenSSL within the vulnerable range is 3.0.1, with around 50% of all hosts. Additionally OpenSSL is not theĀ ......
Read more >What is a Security Vulnerability? | Types & Remediation - Snyk
We discuss types of security vulnerabilities, vulnerability versus exploit, website security vulnerabilities, and security and vulnerability management.
Read more >Severity levels - Snyk User Docs
Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk's Exploit Maturity andĀ ...
Read more >Misconfigurations, known unpatched vulnerabilities, and ...
To break that down further, the top two incident types ā by a distance ā were misconfigurations (45%) and known unpatched vulnerabilitiesĀ ...
Read more >The-Snyk-Vulnerability-Database-1.pdf
ranges, vulnerable method, etc). CVSS score and vector assigned to 100% of vulnerabilities. Remediation with Precision Patches. In 20% of vulnerability ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
#9308 (more direct link to context)
We wouldnāt be able to confidently determine the correct ālatest versionā that snyk is considering ourselves in any post process stepā¦ (assumption: there is significant delay between the calculation of these constraints, the opening of PRs, and any post processing we might do as a result). Maybe if we are provided a timestamp for when a synk database was made we could use
npm view <package> time
to match to the correct verison?Any way ālatest package version as of this snyk db snapshotā could be kept as extra data in a new field?
This is something we could do. We can add another metadata file to the PR, and have something like this: