Bug: High Severity alert being thrown for package version not impacted by the CVE

[aaronosb]

We ran into an issue where actions/dependency-review-action@v2 was blocking based on a report that [email protected] had a high severity finding and linked here https://github.com/advisories/GHSA-gh88-3pxp-6fm8 but the CVE-2021-23567 only impacts versions of colors >= 1.4.1.

Based on my understanding with our version currently being 1.0.3 this CVE should not be attached to the PR and the action should not be blocking our pipeline.

(And note no where else in the project was there any reference to colors >= 1.4.1)

[febuiles]

Hi @aaronosb, thanks for the report. From the screenshot it looks like you should not be getting this warning indeed, do you see the same error if you view the rich diff of the PR for the package-lock.json change? (docs on how to do this)

[aaronosb]

I do not get the same warning/error using the rich diff

[febuiles]

@aaronosb If this is for a public repo, can you post a link? If not, can you email me the username/organization name and repo name to my username at github.com?

[aaronosb]

It was a private repo I can shoot you the info over in an email

[aaronosb]

@febuiles did you get the email with repo details?

[febuiles]

@aaronosb I did! Thanks for sharing the repo details. I've shared this with other folks and will update this issue once I have a fix or feedback.

[febuiles]

@aaronosb apologies for the lack of feedback on this. After reproducing the issue I noticed that it's caused by the API itself and not the action:

$ gh api -H "Accept: application/vnd.github+json" /repos/future-funk/bug-free-sniffle/dependency-graph/compare/main...add-colors

[
  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "colors",
    "version": "1.0.3",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/Marak/colors.js",
    "vulnerabilities": [
      {
        "severity": "high",
        "advisory_ghsa_id": "GHSA-gh88-3pxp-6fm8",
        "advisory_summary": "Infinite Loop in colors.js",
        "advisory_url": "https://github.com/advisories/GHSA-gh88-3pxp-6fm8"
      }
    ]
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "colors",
    "version": "1.0.3",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/Marak/colors.js",
    "vulnerabilities": [
      {
        "severity": "high",
        "advisory_ghsa_id": "GHSA-gh88-3pxp-6fm8",
        "advisory_summary": "Infinite Loop in colors.js",
        "advisory_url": "https://github.com/advisories/GHSA-gh88-3pxp-6fm8"
      }
    ]
  }
]

Once the API fix is released I will close this issue.

[paulz-swyftx]

+1 as I got affected by this issue too. We try to use mikro-orm/migrations, depending on umzug, depending on rushstack, depending on [email protected].

[febuiles]

@aaronosb @paulz-swyftx The API is now returning the proper results, and I've confirmed that the action is behaving as expected. I've created these two example PRs:

1. https://github.com/future-funk/bug-free-sniffle/pull/8 -- has [email protected], does not raise errors since the vulnerability was introduced at [email protected].
2. https://github.com/future-funk/bug-free-sniffle/pull/9 -- has [email protected] which has an open vulnerability since .0.0.0 with no fixes. This check fails.

Closing this issue, thanks for your patience! Please re-open if needed.

[paulz-swyftx]

Thank you for the speedy response @febuiles