Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Improver to find out Ghost packages #917

Closed
TG1999 opened this issue Sep 13, 2022 · 3 comments · Fixed by #1533
Closed

Add Improver to find out Ghost packages #917

TG1999 opened this issue Sep 13, 2022 · 3 comments · Fixed by #1533

Comments

@TG1999
Copy link
Contributor

TG1999 commented Sep 13, 2022

We have some packages coming from security advisories that doesn't exist anywhere, we should have an improver to verify if a package actually exists.

See also:

@armijnhemel
Copy link
Contributor

Would this be an improver per data source or a generic improver covering all data sources? Take for example #915, it could be an improver looking at (historical) package information from Alpine and specifically for Alpine.

@sify21
Copy link
Contributor

sify21 commented Oct 10, 2022

Just add an example of typosquatting attack advisory from rust:
https://github.com/rustsec/advisory-db/blob/main/crates/rustdecimal/RUSTSEC-2022-0042.md
What should be done for this kind of advisory that doesn't have related package/version? Just ignore them?

@keshav-space
Copy link
Member

Some of these non-existent packages could be the result of incorrect parsing of version ranges from upstream advisories #1516.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

Successfully merging a pull request may close this issue.

6 participants