vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Add Improver to find out Ghost packages

Open TG1999 opened this issue 3 years ago • 2 comments

We have some packages coming from security advisories that doesn't exist anywhere, we should have an improver to verify if a package actually exists.

TG1999 avatar Sep 13 '22 17:09 TG1999

Would this be an improver per data source or a generic improver covering all data sources? Take for example #915, it could be an improver looking at (historical) package information from Alpine and specifically for Alpine.

armijnhemel avatar Sep 15 '22 13:09 armijnhemel

Just add an example of typosquatting attack advisory from rust: https://github.com/rustsec/advisory-db/blob/main/crates/rustdecimal/RUSTSEC-2022-0042.md What should be done for this kind of advisory that doesn't have related package/version? Just ignore them?

sify21 avatar Oct 10 '22 06:10 sify21