Getting duplicate responses from Security Advisories GraphQL API

I am trying to use the GraphQL API to see if there are security advisories for a specific package, but some of the responses include duplicates of the advisories. For example, when I try to find advisories for express, I have this query:

    {
        securityVulnerabilities(ecosystem: NPM, first: 50, package: "express", orderBy: {field: UPDATED_AT, direction: DESC}) {
            nodes {
                advisory {
                    id, permalink, publishedAt, severity, summary, updatedAt, withdrawnAt
                }
                package {
                    name
                }
            }
            totalCount
        }
    }

and get this response, which has 2 of the same advisory:

{'data': {'securityVulnerabilities': {'nodes': [{'advisory': {'id': 'MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdwdnItZzZnaC05bWMy',
                                                              'permalink': 'https://github.com/advisories/GHSA-gpvr-g6gh-9mc2',
                                                              'publishedAt': '2018-10-23T17:22:54Z',
                                                              'severity': 'MODERATE',
                                                              'summary': 'Moderate '
                                                                         'severity '
                                                                         'vulnerability '
                                                                         'that '
                                                                         'affects '
                                                                         'express',
                                                              'updatedAt': '2019-07-03T21:02:05Z',
                                                              'withdrawnAt': None},
                                                 'package': {'name': 'express'}},
                                                {'advisory': {'id': 'MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdwdnItZzZnaC05bWMy',
                                                              'permalink': 'https://github.com/advisories/GHSA-gpvr-g6gh-9mc2',
                                                              'publishedAt': '2018-10-23T17:22:54Z',
                                                              'severity': 'MODERATE',
                                                              'summary': 'Moderate '
                                                                         'severity '
                                                                         'vulnerability '
                                                                         'that '
                                                                         'affects '
                                                                         'express',
                                                              'updatedAt': '2019-07-03T21:02:05Z',
                                                              'withdrawnAt': None},
                                                 'package': {'name': 'express'}}],
                                      'totalCount': 2}}}

Are there any differences that I am missing, or is this a bug?

1 Like

:wave: hello there @alex-bellon. Welcome to the GitHub Support Community! :tada:

I ran that query and confirmed the same advisory appears twice. I’ve escalated this to our engineering team and will follow up here when we have an update from them. We don’t have a timeline for when this will be resolved, but we’re happy to help with any other questions you may have about GitHub in the meantime. :v:

2 Likes

@alex-bellon - hello again! One of our engineers reviewed this case and shared some context that might help.

Researching this further, what we’re seeing here involves how our GraphQL API is designed. To be clear, this is not a case of incorrect or duplicated advisory data from what we initially gathered.

Explanation

Given this advisory, there’s two affected version ranges:

  • < 3.11.0
  • >= 4.0.0, < 4.5.0

An advisory can have one range or multiple ranges. This particular advisory has multiple (two) ranges.

When querying for securityVulnerabilities, it’s possible specify an ecosystem or a package name. However, it’s not possible to query for advisories in the same way. The earlier shared query shows two results because while they belong to the same underlying advisory, there are two ranges. Including the vulnerableVersionRange field will reveal those ranges appropriately:

query {
  securityVulnerabilities(ecosystem: NPM, first: 50, package: "express", orderBy: {field: UPDATED_AT, direction: DESC}) {
    nodes {
      advisory {
        permalink
      }
      vulnerableVersionRange
      package {
        name
      }
    }
    totalCount
  }
}
Result set
{
  "data": {
    "securityVulnerabilities": {
      "nodes": [
        {
          "advisory": {
            "permalink": "https://github.com/advisories/GHSA-gpvr-g6gh-9mc2"
          },
          "vulnerableVersionRange": ">= 4.0.0, < 4.5.0",
          "package": {
            "name": "express"
          }
        },
        {
          "advisory": {
            "permalink": "https://github.com/advisories/GHSA-gpvr-g6gh-9mc2"
          },
          "vulnerableVersionRange": "< 3.11.0",
          "package": {
            "name": "express"
          }
        }
      ],
      "totalCount": 2
    }
  }
}

I hope this helps explain things. I get that the current design without this explanation may have prompted more confusion than clarity––you’re always welcome to share any additional feedback through our official product feedback form so that our product team can track your request. That’s the best place to share requests like these in consideration for future iterations of GitHub features. :bowing_man: