Hi, i've been recieving mails and alerts about "security vulnerabilities" for a while now for one of my projects (pokegraf). I already opened a ticket to GitHub but it's been 15 days without answer.
The thing is that these are security vulnerabilities for a "package.json" that does not exist, it used to, but it's gone for a while now. Right now the project is written in C#, and there is no current branch or tag that uses that js file. I already closed the alert, but I don't want to continue getting emails about future vulnerabilities of something I don't use.
These incorrect dependencies are even listed in the "Dependency Graph" tab which makes no sense at all.
Any input on this? maybe how to fix the Dependency Graph?
Thank you very much.
Thanks for being here! I see that the appropriate team looked into it and got you fixed.
Let us know if you have any other questions.
Be sure to click Accept as Solution to mark helpful posts to help other users locate important info. Also, don't forget to give Kudos for great content!
the same issue seems to occur also in other repos, e.g. (at the time of writing) https://github.com/swagger-api/swagger-codegen/network/alert/samples/client/petstore/typescript-angu... seems to refer to an older copy of the file; please notice that right after a fix was committed updating the file, a similar security alert disappeared; it seems now to have appeared again.
Generally it seems possible that false positives come up, not sure if only related to old versions of files. Could you clarify how alerts are generated and dismissed, and how to avoid such behaviour?
Slightly related, I am not sure how and if the security vulnerabilities of a given version of one project (take e.g. https://github.com/dependency-insights/maven/org.eclipse.jetty%253Ajetty-server/9.2.9.v20150224/secu...) are triggering alerts on dependent projects; at the moment it seems that at least some alerts are not triggered.
It would be nice to have some clarification about the applied alert process, to be able to include security alerts (very valuable!) into a consistent security procedure.
While I can't tell you the exact process as there is some behind-the-scenes magic, the general process is that every time a push happens on a repository, a scan is run on certain files in that repository to identify any known vulnerabilities. This may take a bit of time, depending on a number of factors including the size of the repository.
After the scan is run, if new vulnerabilities are detected, an alert is created for each one. Additionally, if the scan detects an update to one of the files in which it detected a vulnerability, it will close the security alert if the requirements have been met.
As repositories can have multiple files listing dependencies, it is possible that multiple alerts will be generated for a particular vulnerability. You may also encounter false positives as we strive to err on the side of safety and would rather risk alerting you about something that is not a problem than not alert you about something that could put you in a compromised position.
Hope that answered your questions. If you have additional questions about specific alerts or specific repositories, please reach out to GitHub Support directly who are better equipped to investigate specific issues.