Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The allowlist ids are not stable

See original GitHub issue

Our daily security scan for our Node.js projects failed today because the ids in our .audit-ci.json files no longer match the ids of the NPM advisory/GitHub vulnerability database.

A good example is CVE-2020-15168. We we added the allowlist entry for this vulnerability on Nov 4, the id was 1003055. Today it’s failing because the id is now 1005560.

I’m guessing this is a side effect of the recent move to use the GitHub Advisory Database as the backend for npm audit.

Maybe it would be better to identify the vulnerabilities by CVE, which is a more stable identifier?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:12
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

5reactions
GUIcommented, Dec 4, 2021

We’ve also been bit by the IDs changing a few times since GitHub’s ownership change now.

Does every vulnerability in the database have a CVE? It looks like here’s maybe a few examples of ones that don’t have CVEs: https://github.com/advisories/GHSA-r8hm-w5f7-wj39, https://github.com/advisories/GHSA-pjwm-rvh2-c87w, https://github.com/advisories/GHSA-xx4c-jj58-r7x6 So with GitHub’s ownership, would using the github_advisory_id (eg, GHSA-xx4c-jj58-r7x6) as a stable identifier be better?

I’m not sure if these NPM IDs changing is expected behavior now, but if extra context helps, here is a specific example of how these IDs have changed for CVE-2021-33623:

Note that only the original and latest IDs seem to work at the https://npmjs.com/advisories/* URLs (and the ones in between now result in 404s).

1reaction
mobilutzcommented, Mar 12, 2022

FYI change to use GitHub-advisory-ids was merged and will be in 6.0.0 #217

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using the allowlist and blocklist to control access to Zendesk ...
To completely block support requests from specific users, enter the keyword reject: in front of an email address or domain list in the...
Read more >
Allowlists | Enterprise Documentation
Allowlists provide a mechanism within a policy bundle to explicitly override a policy-rule match. An allowlist is a named set of exclusion rules ......
Read more >
Learn more about the new allow list feature in Macie
In this blog post, we show you how to set up an allow list in Macie and run a Macie scan that uses...
Read more >
Configure a Per-Project CVE Allowlist - Harbor docs
Go to Projects, select a project, and select Configuration. Under CVE allowlist, select Project allowlist. Optionally click Copy From System to add all...
Read more >
GlobalProtect connection not working for 1 user - Reddit
show user user-ids match-user DOM\user ... Reason: User is not in allowlist. auth profile \'Auth Profile\', vsys \'vsys1\', server profile ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Expose internals as library for programmatic use

Next page

Bug: Cannot convert undefined or null to object