Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: include package version in vulns lookup #791

Merged
merged 1 commit into from
Oct 10, 2019
Merged

fix: include package version in vulns lookup #791

merged 1 commit into from
Oct 10, 2019

Conversation

moshikod
Copy link
Contributor

@moshikod moshikod commented Oct 3, 2019
edited
Loading

  • Ready for review
  • Follows CONTRIBUTING rules
  • Reviewed by Snyk internal team

What does this PR do?

Fix the lookup for the associated Dockerfile instruction that introduced a package.
The lookup key should include both the package name and version and not just the package name.

How should this be manually tested?

Perform a test on an image which is a product of a Dockerfile such as:

FROM python:3.7-alpine3.8
RUN apk add --no-cache --update git=2.18.1-r0

Expect the git vulnerability to be introduced by instruction in the Dockerfile and not by the base image.

Screenshots

image

Before this fix, the git vulnerability was wrongly identified as Introduced by the base image

@moshikod moshikod requested a review from a team as a code owner October 3, 2019 11:57
@ghost ghost requested review from gitphill and lili2311 October 3, 2019 11:57
@moshikod moshikod requested review from hisenb3rg and mladkau and removed request for lili2311 and gitphill October 3, 2019 11:58
orsagie
orsagie approved these changes Oct 3, 2019
View reviewed changes
Copy link
Contributor

@orsagie orsagie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. You need to close and reopen the PR to appveyor to restart

@moshikod moshikod closed this Oct 6, 2019
@moshikod moshikod reopened this Oct 6, 2019
@moshikod moshikod closed this Oct 6, 2019
@moshikod moshikod reopened this Oct 6, 2019
@moshikod moshikod closed this Oct 6, 2019
@moshikod moshikod reopened this Oct 6, 2019
@moshikod moshikod closed this Oct 7, 2019
@moshikod moshikod reopened this Oct 7, 2019
@moshikod moshikod merged commit 79b792b into master Oct 10, 2019
@moshikod moshikod deleted the fix/vuln-pkg-origin branch October 10, 2019 11:18
@moshikod moshikod restored the fix/vuln-pkg-origin branch October 10, 2019 11:19
@snyksec
Copy link

snyksec commented Oct 11, 2019

🎉 This PR is included in version 1.234.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@moshikod moshikod mentioned this pull request Oct 16, 2019
Merged
3 tasks
@snyk-bot snyk-bot mentioned this pull request Mar 9, 2022
Closed
@snyk-bot snyk-bot mentioned this pull request Aug 31, 2022
Closed
@EitanGayor EitanGayor mentioned this pull request Feb 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orsagie orsagie orsagie approved these changes

@hisenb3rg hisenb3rg Awaiting requested review from hisenb3rg

@mladkau mladkau Awaiting requested review from mladkau

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@moshikod @snyksec @orsagie