misc(snyk): only keep vuln data for detectable libs #6919
Conversation
| @@ -28,6 +33,21 @@ writeFileSync(filename, output, 'utf8'); | |||
| */ | |||
| function cleanAndFormat(vulnString) { | |||
| const snapshot = /** @type {!SnykDB} */ (JSON.parse(vulnString)); | |||
| // Hack to deal with non-node-friendly code. | |||
| eval(libDetectorSource.replace(/var /g, 'global.')); | |||
There was a problem hiding this comment.
I'm so curious what they were doing and how this works... :)
https://github.com/johnmichel/Library-Detector-for-Chrome/blob/e1fb487c5599bf3b6bbea98a25c60035b5e02938/library/libraries.js#L1-L2
how's about somethin' like?
const librariesDefinition = eval(`
(() => {
${libDetectorSource}
return d41d8cd98f00b204e9800998ecf8427e_LibraryDetectorTests;
})()
`)
|
@paulirish we just reopened a pr with pretty much all the filtered vulns (#6961). Looks like this won't be an issue this time, due to filtering. Are you interested in the full list at all? is |
|
@aviadatsnyk we're not really interested in keeping the full list in our source at this time since we have no way of surfacing most of it. We are working on some other efforts around bundle analysis that should enable us to use the complete list, so maybe once that's completed we can revisit? |
|
discussing this here: #6961 |
Previous to #6888 there were only THREE libs in the vuln snapshot that we couldn't detect with js-lib-detector. But now there's lots.
thx @patrickhulce for calling this out: #6888 (review)
this updates the cleanup script to exclude vuln data for libs we can't detect.