Skip to content

Add Anchor security scan #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add Anchor security scan #45

wants to merge 2 commits into from

Conversation

@rugk
Copy link
Member

@rugk rugk commented Jun 4, 2021

The tool seems to cover JS, which is useful for us and standard container dependencies.

https://github.com/anchore/grype

@rugk
Add Anchor security scan
9abc170 
The tool seems to cover JS, which is useful for us and standard container dependencies.

https://github.com/anchore/grype
@elrido
Copy link
Contributor

elrido commented Jun 5, 2021
edited
Loading

I think what it tries to tell is that it looks at the package.json, sees the version as 1.3.0 and therefore assumes we are affected by the CVE we published on that release. I checked and it seems that we indeed forgot to increment the version string in that file, probably in the 1.3.1 release. I now use sed to match and replace these numbers during publication, but I seem to have omitted that file. I'll change package.json and Makefile in master and we could add this check added after the next release got published.

Edit: Fixed in PrivateBin/PrivateBin@a2ffbaf

@rugk
Copy link
Member Author

rugk commented Jun 6, 2021

Great. Note that in order to increment the package.json you can also use the npm version command… 🙂

@rugk
Copy link
Member Author

rugk commented Feb 28, 2022

Re-triggered this thiny (via a simple merge), so let's see how the situation may have improved since our last try… 🙃

@rugk
Copy link
Member Author

rugk commented Feb 28, 2022

Error: Failed minimum severity level. Found vulnerabilities with level medium or higher

Well nice, but where/how/where are these? 😅

Also in GitHubs advanced code scanning tab I could find nothing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rugk @elrido