-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crucial bug: osv-scanner does not detect known malicious package in lockfiles #2407
Comments
This looks like an osv.dev API bug, as both |
I can confirm that
is not matching https://api.osv.dev/v1/vulns/MAL-2022-7426 so this is an OSV.dev API bug not an OSV-Scanner one. I'll move this over. |
Looking at https://api.osv.dev/v1/vulns/MAL-2022-7426, I can see what the problem is, and it's somewhat systemic to malicious packages records: because typically such packages get removed from the package registry, there are no versions to enumerate. OSV.dev's API today is reliant upon all known vulnerable (in this case, "malicious") versions being enumerated and present in the This deficiency is being worked on in #2401 |
@andrewpollock would it be straightforward and worthwhile to introduce a (hopefully) hotpath for advisories that are marked as impacting all versions, since shouldn't that be a case of matching the ecosystem + name? I'd say that technically it's an optimization which as a bonus would enable these advisories to be matched against without requiring a more fulsome api change |
Hello and thanks for taking care of that issue.
I totally agree, version is irrelevant for known malicious packages. |
There are cases where version do matter for malicious packages, e.g. in cases where a normal package repository was taken over by a malicious actor, and they made a new release containing malicious code. All previous versions are still valid non-malicious packages in that case (or sometimes not, if the registry is not immutable, the attacker might be able to swap out old versions as well). |
I don't know if and how this issue is linked to this one: github/advisory-database#4612 |
They're related only in that they both relate to malware (as opposed to security vulnerabilities) |
Hello there,
Thanks for this amazing work but I am reporting here a crucial bug: known malicious packages are not detected when scanned.
How to reproduce:
pymocks
in an examplepip freeze
output (second line here below):Nothing is told about this
pymocks
package.I tried with different expressions:
pymocks==0.0.1
,pymocks
etc. but it never got detected.As this package is globally malicious, its detection should not need a version string: the sole presence of the package name in a lockfile should be enough to detect it !
Cheers!
The text was updated successfully, but these errors were encountered: