* Improve OSV scanning integration (squashed)
Signed-off-by: Rex P <[email protected]>
* Add support for grouping vulnerabilities and aliases
Signed-off-by: Rex P <[email protected]>
* Updated documentation, spit vulnerability output to multiple warnings
Signed-off-by: Rex P <[email protected]>
* Updated documentation, spit vulnerability output to multiple warnings
Signed-off-by: Rex P <[email protected]>
* Add its own codebase into docs
Signed-off-by: Rex P <[email protected]>
* Update scorecard test to not prevent known vulns
Signed-off-by: Rex P <[email protected]>
Signed-off-by: Rex P <[email protected]>
Co-authored-by: laurentsimon <[email protected]>
This check determines whether the project has open, unfixed vulnerabilities
695
-
using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service.Anopen
696
-
vulnerability is readily exploited by attackers and should be fixed as soon as
695
+
initsowncodebaseoritsdependenciesusing the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service.
696
+
Anopenvulnerability is readily exploited by attackers and should be fixed as soon as
697
697
possible.
698
698
remediation:
699
699
- >-
700
-
Fix the vulnerabilities. The details of each vulnerability can be found
700
+
Fix the vulnerabilitiesinyourowncodebase. The details of each vulnerability can be found
701
701
on <https://osv.dev>.
702
+
- >-
703
+
If the vulnerability is in a dependency, update the dependency to a non-vulnerable version. If no update is available, consider whether to remove the dependency.
704
+
- >-
705
+
If you believe the vulnerability does not affect your project, the
706
+
vulnerability can be ignored.
707
+
To ignore, create an `osv-scanner.toml` file next to the dependency manifest (e.g. package-lock.json) and specify the ID to ignore and reason.
708
+
Details on the structure of `osv-scanner.toml` can be found on
This check determines whether the project has open, unfixed vulnerabilities
648
-
using the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service.Anopen
649
-
vulnerability is readily exploited by attackers and should be fixed as soon as
648
+
initsowncodebaseoritsdependenciesusing the [OSV (Open Source Vulnerabilities)](https://osv.dev/) service.
649
+
Anopenvulnerability is readily exploited by attackers and should be fixed as soon as
650
650
possible.
651
651
652
652
653
653
**Remediation steps**
654
-
- Fix the vulnerabilities. The details of each vulnerability can be found on <https://osv.dev>.
654
+
- Fix the vulnerabilitiesinyourowncodebase. The details of each vulnerability can be found on <https://osv.dev>.
655
+
- If the vulnerability is in a dependency, update the dependency to a non-vulnerable version. If no update is available, consider whether to remove the dependency.
656
+
- If you believe the vulnerability does not affect your project, the vulnerability can be ignored. To ignore, create an `osv-scanner.toml` file next to the dependency manifest (e.g. package-lock.json) and specify the ID to ignore and reason. Details on the structure of `osv-scanner.toml` can be found on [OSV-Scanner repository](https://github.com/google/osv-scanner#ignore-vulnerabilities-by-id).