-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create CVE Scanning #80
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #80 +/- ##
=======================================
Coverage 77.74% 77.74%
=======================================
Files 49 49
Lines 391 391
Branches 37 37
=======================================
Hits 304 304
Misses 73 73
Partials 14 14 ☔ View full report in Codecov by Sentry. |
@josspo I think it is trying to interpret some dependency as being node/npm dependencies and reporting CVEs. https://github.com/morganstanley/fdc3-dotnet/actions/runs/7184323366 |
@bingenito Are the CVEs false positives? If so, I can add them to the allow-list.xml. |
@josspo I have to look at the nuget one still, but for the others it seems to think that "MorganStanley.Fdc3.Newtonsoft.Json" and "MorganStanley.Fdc3.Newtonsoft.Json.Tests" are the morgan-json and other releted npm packages which is absolutely a false positive |
CVE Scanning action that use DependencyCheck with allow-list.xml.
Enable
<EnableWindowsTargeting>true</EnableWindowsTargeting>
in WpfFdc3.csproj because the action was failing if it's set to false.