Security update doesn't catch vulnerable packs
See original GitHub issueI’m trying trying to run Dependabot only for security updates, but looks like it doesn’t catch vulnerable packs.
As example I used simple-git
v3.5.0 (Snyk: simple-gi ) - which has been reported in my WhiteSource scan.
To force security update I used:
open-pull-requests-limit: 0
so I can see in the console:
Pull requests limit is set to zero. Security only updates are implied.
...
Checking if simple-git 3.5.0 is vulnerable
simple-git 3.5.0 i**s not vulnerable**
Any explanation why it doesn’t see this pack as vulnerable? Is there any other parameter that should be provided to support this type of update?
Used latest vesion of extension (0.14.1.420).
Issue Analytics
- State:
- Created 8 months ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Is it possible to limit yum so that it lists or installs only ...
I've got an interesting requirement in that a customer wants to only allow updates of packages with attached security errata (to limit ...
Read more >I'm getting the message: "The following security updates ...
package management - I'm getting the message: "The following security updates require Ubuntu Pro with 'esm-apps' enabled" when updating Ubuntu ...
Read more >Description of the security update for SharePoint Server ...
This security update resolves a Microsoft SharePoint Server information disclosure vulnerability and a Microsoft SharePoint Server spoofing ...
Read more >Auditing package dependencies for security vulnerabilities
If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package dependency tree. Since the...
Read more >From KBs to CVEs: Understanding the Relationships ...
Security vulnerabilities are regularly published by the dozens, and software vendors are in a constant race to issue updates that patch or ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@BeataKr Checking for vulnerabilities in the GitHub GraphQL API requires authentication hence a GitHub access token must be supplied. This can only be done in the task using either
gitHubConnection
orgitHubAccessToken
input.For example:
Create
MyVeryPrivateGitHubPAT
as a variable in the pipeline.This should be a classic PAT with
public_repo
permission.I’m glad your issue is resolved. You could contribute documentation similar to #483?