Collect commits from dependabot #1130

TG1999 · 2023-02-14T17:30:50Z

We should mine and store the commits made from dependabot in vulnerablecode database.

Get all the dependabot commits
Check the package mentioned in that commit is vulnerable or not for example: KoraLinSar/python-socketio@a79f81b this states Bump sanic from 0.8 to 20.12.6 in /examples/server/sanic here [email protected] might be vulnerable which can be checked from vulnerablecode https://public.vulnerablecode.io/packages/pkg:pypi/[email protected]?search=sanic this means this commit is fixing a vulnerable package and the current release of that package can be marked as vulnerable.
Also check if the commit is merged in main, sometimes dependabot commits might be changing the mock data in test files

The text was updated successfully, but these errors were encountered:

pombredanne mentioned this issue Jul 3, 2023

How to detect link between a vulnerability and source code of project? #1216

Open

pombredanne added the fix-commit label Dec 13, 2024

Provide feedback