Question: problem with npm importer or something else?

[kipz]

We're running a vulnerablecode instance here https://vulnerablecode.atomist.com/, and have been doing some spot-checks on the data, and often see confusing results.

Take for example: https://nvd.nist.gov/vuln/detail/CVE-2021-32640

This was reported by Github, and is present on npmjs.org too.

However, a search for this on our vulnerablecode instance (on which we've run all the importers), doesn't show the npmjs package, just the debian ones (no purl with name ws, just node-ws)

https://vulnerablecode.atomist.com/vulnerabilities/20110

I'm curious about whether this is expected or are there bugs somewhere in the importers? Perhaps one importer is overwriting data from another? Or perhaps the npm importer isn't storing any data?

FWIW: running npm audit on a project with an old version of ws does suggest an upgrade, and this uses the same APIs as the npm importer AFAIK.

Any insights would be much appreciated.

[pombredanne]

@kipz Thanks for the detailed report. It looks like a bug for sure. Let me try to reproduce on a fresh instance

[Hritik14]

I've looked into it and this is because currently our npm importer fetches the data from https://github.com/nodejs/security-wg which doesn't contain the required advisory. The said repository is not handling ecosystem vulnerabilities. There appears to be an ongoing discussion regarding this.

In short, the advisory data from nodejs is different from that of npm.
Ironically, we had #101 for collecting npm advisories which was closed in favor of the nodejs advisories.

We could either:

• Mark current importer as nodejs only and create a separate importer for npm or
• Merge both nodejs and npm in the current importer

Further, there might be a problem with debian importer as the reported purl mentions pkg:deb/debian/node-ws@1.1.0 which should be unrelated to the affected versions mentioned in the github advisory. This could be a result of #140

[sbs2001]

@Hritik14 I get the feeling that nodejs-wg is abandoned last updated -> 3 months ago. Let's keep it as it is for awhile, meanwhile your (1) approach makes sense.

The won't be much work since the schemas both sources are indentical. See #228

[pombredanne]

I guess that there may be some slow down per nodejs/security-wg#662 and we likely want to use both sources of https://registry.npmjs.org/-/npm/v1/security/advisories and https://github.com/nodejs/security-wg rather than just one in this case.

[pombredanne]

Actually the problem may be deeper than this: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7 ... this is basically close sourcing this source of npm issues at Snyk from the face of it.
So IMHO:

1. keep what we have and ensure we collect all
2. possibly archive some of the raw upstream data
3. we need more and more to ensure that we can cross ref these vulnerabilities to multi-source them IMHO