Duplicates in Dependency Scanning vulnerabilities
Summary
Dependency Scanning should dedupe vulnerabilities when scanners overlap each other on one technology. With the latest version (GO rewrite, see #5908 (closed)) this is no longer the case.
Steps to reproduce
Execute the new dependency-scanning binary on the test project
What is the current bug behavior?
In current version we can see duplicates:
+-------------------------------------------------------------------------------------------+
| Unknown | bundler-audit | CVE-2018-8048 |
| |
| Loofah XSS Vulnerability |
| Solution: upgrade to >= 2.2.1 |
| In Gemfile.lock |
+-------------------------------------------------------------------------------------------+
+-------------------------------------------------------------------------------------------+
| Unknown | Gemnasium | CVE-2018-8048 |
| |
| XSS Vulnerability in loofah |
| Solution: Upgrade to 2.2.1. |
| In Gemfile.lock |
+-------------------------------------------------------------------------------------------+What is the expected correct behavior?
In previous version the output only show one occurrence (from bundler audit)
+---------------------+---------------------+--------------------------------------------------------------------------+-------------------------------------------------------------------------------+
| Unknown | bundler_audit | CVE-2018-8048 | https://github.com/sparklemotion/nokogiri/pull/1746 |
| Revert libxml2 behavior in Nokogiri gem that could cause XSS |
| Solution: upgrade to >= 1.8.3 |
| In Gemfile.lock |
+---------------------+---------------------+--------------------------------------------------------------------------+-------------------------------------------------------------------------------+Possible fixes
Restore dedupe.
Edited by Fabien Catteau