You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Open Source Vulnerability Scanner, well, scans open source repositories for known vulnerabilities. If you run it on the reqwest repo, it currently finds 74 unfixed vulnerabilities. At second glance, these all stem from npm packages, and from within the wasm_github_fetch example.
However, tools like OSSF Scorecard that use this scanner may not easily expose that second glance. Instead, with default settings, scorecard just reports 74 vulnerabilities, and basically recommends to not use this repo.
This can be circumvented, I believe rather easily, by telling the OSV scanner "don't bother scanning these dependencies here", using an osv-scanner.toml file. Scorecard respects these directives.
The text was updated successfully, but these errors were encountered:
The Open Source Vulnerability Scanner, well, scans open source repositories for known vulnerabilities. If you run it on the reqwest repo, it currently finds 74 unfixed vulnerabilities. At second glance, these all stem from npm packages, and from within the wasm_github_fetch example.
However, tools like OSSF Scorecard that use this scanner may not easily expose that second glance. Instead, with default settings, scorecard just reports 74 vulnerabilities, and basically recommends to not use this repo.
This can be circumvented, I believe rather easily, by telling the OSV scanner "don't bother scanning these dependencies here", using an osv-scanner.toml file. Scorecard respects these directives.
The text was updated successfully, but these errors were encountered: