Missing context new status for CA #153
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
attiasas
requested changes
Aug 26, 2024
attiasas
added
improvement
github-actions
bot
removed
the
safe to test
attiasas
approved these changes
Sep 5, 2024
attiasas
added
the
safe to test
github-actions
bot
removed
the
safe to test
attiasas
requested changes
Sep 5, 2024
Comment on lines
6
to
11
| cloud.google.com/go v0.38.0 // indirect | ||
| github.com/Azure/azure-sdk-for-go v40.3.0+incompatible // indirect | ||
| github.com/Azure/go-autorest/autorest v0.10.0 // indirect | ||
| github.com/Azure/go-autorest/autorest/adal v0.8.2 // indirect | ||
| github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 // indirect | ||
| github.com/Azure/go-autorest/autorest/azure/cli v0.3.1 // indirect |
There was a problem hiding this comment.
Please only include the needed dependency for the test to reduce size and test times
…o missing-context
attiasas
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
had a problem deploying
to
frogbot
GitHub Actions
Failure
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
barv-jfrog
added
the
safe to test
github-actions
bot
removed
the
safe to test
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
devbranch.go vet ./....go fmt ./....Description:
New status in contextual analysis - missing context. If a CVE gets a missing context under contextual analysis this means that this CVE exists on binary but not on source code. (For example a scanner exists but is of type ELF, YAML, etc - not source code). This helps to distinguish between Not covered which means this CVE doesn't have a jfrog scanner at all to Missing context which means the CVE is covered but not on source code.
Since missing context doesn't mean Not applicable it has a higher priority. Also its not that its not Covered, just not covered in source code, which in conclusion we believe deserves a higher priority than Not covered as well.
Additional description:
Jfrog research team work on many CVEs using scanners they create. These scanners have a type, like JS, JAVASRC, YAML, etc..
When using jf audit we scan for src code, and therefore the scanners which can be run on the relevant project are only scanners of source code types which are being supported by the CLI (JAVASRC, JS, Python, NuGet soon and more) but not on scanners that are of type YAML, text, binary, elf, etc, however, these CVEs are supported on binary scanning on xray platform - So we want to distinguish between those CVEs that are not covered at all (no scanner) and those that are covered on xray platform but not on source code scanning (jf audit).
This CA status is only for jf audit.