Michael Kedar
Michael Kedar
There is no current way to identify whether a vulnerable dependency only affects the development environment e.g. whether it comes from `devDependencies` or `dependencies` in `package.json`. We should add a...
The current Gitignore parsing does not take into account the boundaries of git repositories, meaning: - `.gitignore` files that are outside of git repositories are parsed and applied. - `.gitignore`...
[Enumerate Package Versions](https://learn.microsoft.com/en-us/nuget/api/package-base-address-resource#enumerate-package-versions) returns just the array of the versions of a package, as opposed to the endpoint we currently use which lists all the package info (but can also...
The workers log latency regardless of whether the task finished or not: https://github.com/google/osv.dev/blob/01173bfd380841914bda13453d3a1853395924de/docker/worker/worker.py#L623-L628 This messes with our import latency SLO monitoring, since jobs repeatedly get processed & timed out until...
Currently, our worker/importer/exporter use the attached persistent SSDs to store temporary data such as git repositories, which can cause problems if the files are not deleted before the pod exits....
The repo is quite messy and it's hard to know where things are. The current state of things (from my understanding): | folder | what | |--------|--------| | `deployment/`| Terraform,...
Need to implement an [ecosystem helper for Rocky Linux](https://github.com/google/osv.dev/blob/d14f916b46768749da4d92d76d322c91e81dd23b/osv/ecosystems/_ecosystems.py#L76-L78) to parse version strings and fetch versions of packages.
Need to implement an [ecosystem helper for AlmaLinux](https://github.com/google/osv.dev/blob/d14f916b46768749da4d92d76d322c91e81dd23b/osv/ecosystems/_ecosystems.py#L72-L74) to parse version strings and fetch versions of packages.
In non-interactive, perhaps a message along the lines of `VULN-1234 is unfixable due to direct dependency on foo`. Possibly only shown when using the `--vulns` flag
If the same package version is installed multiple times under different groups in a package-lock.json file (i.e. in both dev and prod), `osv-scanner scan` behaves inconsistently in showing which groups...