Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Improver to find out Ghost packages #917

Closed
TG1999 opened this issue Sep 13, 2022 · 3 comments · Fixed by #1533
Closed

Add Improver to find out Ghost packages #917

TG1999 opened this issue Sep 13, 2022 · 3 comments · Fixed by #1533
Assignees
@TG1999 @keshav-space
Labels
1-next data-quality

Comments

@TG1999
Copy link
Contributor

TG1999 commented Sep 13, 2022
edited by pombredanne
Loading

We have some packages coming from security advisories that doesn't exist anywhere, we should have an improver to verify if a package actually exists.

See also:
@armijnhemel armijnhemel mentioned this issue Sep 15, 2022
Open
@armijnhemel
Copy link
Contributor

Would this be an improver per data source or a generic improver covering all data sources? Take for example #915, it could be an improver looking at (historical) package information from Alpine and specifically for Alpine.

@sify21
Copy link
Contributor

sify21 commented Oct 10, 2022
edited
Loading

Just add an example of typosquatting attack advisory from rust:
https://github.com/rustsec/advisory-db/blob/main/crates/rustdecimal/RUSTSEC-2022-0042.md
What should be done for this kind of advisory that doesn't have related package/version? Just ignore them?

@TG1999 TG1999 added this to the v31.0 milestone Oct 11, 2022
@TG1999 TG1999 modified the milestones: v31.0, v32.0.0 Nov 21, 2022
@pombredanne pombredanne modified the milestones: v32.0.0, v33.0.0 Dec 8, 2022
@TG1999 TG1999 modified the milestones: v33.0.0, v34.0.0 Jan 13, 2023
@TG1999 TG1999 removed this from the v34.0.0 milestone Jan 30, 2024
@pombredanne pombredanne mentioned this issue Jul 16, 2024
Open
@keshav-space
Copy link
Member

Some of these non-existent packages could be the result of incorrect parsing of version ranges from upstream advisories #1516.

@keshav-space keshav-space mentioned this issue Aug 2, 2024
Merged
keshav-space added a commit that referenced this issue Aug 26, 2024
@keshav-space
Merge pull request #1533 from aboutcode-org/917-ghost-remover
1e3afdc 
Add improver pipeline to flag ghost packages #644 #917 #1395
@pombredanne pombredanne added 1-next and removed 9-next labels Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TG1999 TG1999

@keshav-space keshav-space

Labels
1-next data-quality
Projects
04-VulnerableCode Data Quality and next
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add improver pipeline to flag ghost packages #644 #917 #1395 aboutcode-org/vulnerablecode
6 participants
@pombredanne @DennisClark @armijnhemel @sify21 @TG1999 @keshav-space