cyclonedx-node-module icon indicating copy to clipboard operation
cyclonedx-node-module copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

bump integration tests: use non-vulnerable components

Open jkowalleck opened this issue 2 years ago • 1 comments

there are integration tests in tests/integration/*/package.json that may have npm compo ents that are vulnerable. The code in these packages is never actually run.

SecurityScanners often find new or the same issues in there, and mark cyclonedx-node-module to have vulnerabilities, unless someone marks them as "invalid, code is not executed". This is a manual job, each time.

feature:

  • exclude /tests/integration/*/package.json from scanning for updates
  • exclude /tests/integration/*/package.json from scanning for scurity-issues
  • use dependencies that are more controlled, than the current arbitrary set of things.

jkowalleck avatar Mar 09 '22 07:03 jkowalleck

might help:

  • https://github.com/dependabot/dependabot-core/issues/4364
  • https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning

jkowalleck avatar Mar 09 '22 07:03 jkowalleck