Snyk vulnerability range for unfixed vulnerabilities #14168
Comments
|
#9308 (more direct link to context) We wouldn't be able to confidently determine the correct "latest version" that snyk is considering ourselves in any post process step... (assumption: there is significant delay between the calculation of these constraints, the opening of PRs, and any post processing we might do as a result). Maybe if we are provided a timestamp for when a synk database was made we could use Any way "latest package version as of this snyk db snapshot" could be kept as extra data in a new field? |
|
For us to discuss: As far as not being able to use a live-snapshot of snyk, that is still a constraint we have (certainly in DevTools and PSI), but perhaps we could be more flexible in CLI? |
Looking at the latest snyk PR, it seems this has already taken effect? https://github.com/GoogleChrome/lighthouse/pull/14169/files#diff-2748424e6850e5ce49d2339a9d6e7d96a5f286e3c404618e0ef54e5c89d62055R7 |
We haven't made any change yet in this area. Our current post-processing logic only handles |
This is something we could do. |
Summary
Hi 👋
My name is Amotz, working for Snyk.
I wanted to update you that we are revisiting our current method for providing ranges for unfixed vulnerabilities, as part of a standardization effort we are doing in this area.
See #8748 for context.
In cases of unfixed vulnerabilities, we'd like to provide
*as the range, and, if necessary, have it resolved on LH side to a specific version range (e.g.<=x.y.z), instead of resolving it on our side.We still don't have clear timeline for this, but wanted to give you heads up and start a discussion.
The text was updated successfully, but these errors were encountered: