fix(reporter): dedupe lockfile poisoning markdown threats by URL#714
fix(reporter): dedupe lockfile poisoning markdown threats by URL#714Carla232 wants to merge 8 commits into
Conversation
Signed-off-by: Carla232 <79741526+Carla232@users.noreply.github.com>
SafeDep Report SummaryNo dependency changes detected. Nothing to scan. This report is generated by SafeDep Github App |
|
@Carla232 thanks for contribution |
|
@Carla232 builds are failing.. |
Signed-off-by: Carla232 <79741526+Carla232@users.noreply.github.com>
Signed-off-by: Carla232 <79741526+Carla232@users.noreply.github.com>
|
I pushed a follow-up fix in 7547b3a for the Go Linter failure ( Could you please approve/re-run the workflows? |
Signed-off-by: Carla232 <79741526+Carla232@users.noreply.github.com>
|
I pushed another follow-up in ea7c8a5 for the The failure was caused by a flaky test: the query-worker test was starting the full Malysis enricher, so the result worker and the test were both consuming from the same Locally verified:
Could you please approve/re-run the workflows for the latest commit? |
|
@Carla232 i tested it loally (from your branch) by building Why the url is repeated, it should solve this?
my {
"name": "vet-test",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"type": "commonjs",
"dependencies": {
"glob": "https://github.com/isaacs/node-glob/archive/refs/tags/v10.3.0.tar.gz",
"globx": "https://github.com/isaacs/node-glob/archive/refs/tags/v10.3.0.tar.gz"
}
} |
Signed-off-by: Carla232 <79741526+Carla232@users.noreply.github.com>
|
Thanks for testing this and for the screenshot. You were right: the previous change still allowed the same resolved URL to appear multiple times in the CLI summary output, especially when different package names point to the same tarball URL. I pushed
I also updated the PR description to reflect this broader scope. Verified with the
|
|
thanks will test |
|
@KunalSin9h Can you please review and take this forward? |




Fixes #231
Summary
Why
When multiple package entries resolve through the same private or non-registry URL, the report can repeat nearly identical lockfile poisoning findings. Grouping by URL makes the report shorter and easier to review, even when different package names point to the same resolved artifact.
Testing
go test ./pkg/reporter -run "Test(GroupLockfilePoisoningThreatsByURL|AddThreatsSectionConsolidatesLockfilePoisoningByURL|GroupLockfilePoisoningMessagesByURL)$" -count=1 -vgo test ./pkg/reporter -count=1globandglobxpointing to the same tarball URL: CLI summary contains the URL once--report-markdown-summary: markdown summary contains the URL once