You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm just trying out this action and have noticed a bug. In my test repo there are three vulnerabilities:
CVE: 2024-33883 found in ejs - Version: 3.1.9
CVE: 2024-29041 found in express - Version: 4.18.2
CVE: 2024-39249 found in async - Version: 3.2.3
When there are no open issues for these (e.g. on a first run, or if I have closed all the issues and re-run the workflow), all three GitHub issues are created as expected, when running with create-issues: true.
However, if I close any number of the issues (except for all of them), those issues in question are not recreated or re-opened (which might be a nicer way of dealing with it).
A fix here is important as issues could otherwise be closed down when the vulnerability has not been resolved, and it wouldn't be flagged until such a time when no issues were open.
Here are the logs from when the issue for EJS had been closed before running the scan:
View logs
2024-07-12T08:48:52.8088637Z Library 130 - async
2024-07-12T08:48:52.8088736Z 1 Issues found on Library
2024-07-12T08:48:52.8089011Z Isuse Title 0: CVE: 2024-39249 found in async - Version: 3.2.3 [JS]
2024-07-12T08:48:52.8089110Z Open issues found: 2
2024-07-12T08:48:52.8089189Z Issue
2024-07-12T08:48:52.8089392Z CVE: 2024-39249 found in async - Version: 3.2.3 [JS]
2024-07-12T08:48:52.8089581Z CVE: 2024-39249 found in async - Version: 3.2.3 [JS]
2024-07-12T08:48:52.8089707Z already exists - skipping
2024-07-12T08:48:52.8090315Z Issue already exists - skipping --- CVE: 2024-39249 found in async - Version: 3.2.3 [JS] ---- CVE: 2024-39249 found in async - Version: 3.2.3 [JS]
2024-07-12T08:48:52.8090427Z Library 162 - ejs
2024-07-12T08:48:52.8090525Z 1 Issues found on Library
2024-07-12T08:48:52.8090787Z Isuse Title 0: CVE: 2024-33883 found in ejs - Version: 3.1.9 [JS]
2024-07-12T08:48:52.8090881Z Open issues found: 2
2024-07-12T08:48:52.8091481Z Issue already exists - skipping --- CVE: 2024-33883 found in ejs - Version: 3.1.9 [JS] ---- CVE: 2024-29041 found in express - Version: 4.18.2 [JS]
2024-07-12T08:48:52.8091597Z Library 171 - express
2024-07-12T08:48:52.8091692Z 1 Issues found on Library
2024-07-12T08:48:52.8091972Z Isuse Title 0: CVE: 2024-29041 found in express - Version: 4.18.2 [JS]
2024-07-12T08:48:52.8092066Z Open issues found: 2
2024-07-12T08:48:52.8092239Z Issue
2024-07-12T08:48:52.8092452Z CVE: 2024-29041 found in express - Version: 4.18.2 [JS]
2024-07-12T08:48:52.8092656Z CVE: 2024-29041 found in express - Version: 4.18.2 [JS]
2024-07-12T08:48:52.8092858Z already exists - skipping
2024-07-12T08:48:52.8093470Z Issue already exists - skipping --- CVE: 2024-29041 found in express - Version: 4.18.2 [JS] ---- CVE: 2024-29041 found in express - Version: 4.18.2 [JS]
2024-07-12T08:48:52.8093563Z Scan finished.
As you can see, it recognises that there are two open issues found, yet somehow thinks all three have issues. When looping over ejs, note that it does not say already exists - skipping as the other two do, but does have the secondary line of Issue already exists - skipping
The text was updated successfully, but these errors were encountered:
I'm just trying out this action and have noticed a bug. In my test repo there are three vulnerabilities:
When there are no open issues for these (e.g. on a first run, or if I have closed all the issues and re-run the workflow), all three GitHub issues are created as expected, when running with
create-issues: true.However, if I close any number of the issues (except for all of them), those issues in question are not recreated or re-opened (which might be a nicer way of dealing with it).
A fix here is important as issues could otherwise be closed down when the vulnerability has not been resolved, and it wouldn't be flagged until such a time when no issues were open.
Here are the logs from when the issue for EJS had been closed before running the scan:
View logs
As you can see, it recognises that there are two open issues found, yet somehow thinks all three have issues. When looping over
ejs, note that it does not sayalready exists - skippingas the other two do, but does have the secondary line ofIssue already exists - skippingThe text was updated successfully, but these errors were encountered: