nodesource · riosje · Aug 14, 2025 · Aug 14, 2025 · Aug 14, 2025 · coderabbitai
diff --git a/.github/workflows/check-vulns.yml b/.github/workflows/check-vulns.yml
@@ -110,6 +110,7 @@ jobs:
           VULN_DEP_NAME: ${{ matrix.vulnerabilities.dependency }}
           VULN_DEP_VERSION: ${{ matrix.vulnerabilities.version }}
           VULN_SOURCE: ${{ matrix.vulnerabilities.source }}
+          VULN_TITLE: ${{ matrix.vulnerabilities.title }}
           VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }}
-          VULN_TITLE: ${{ matrix.vulnerabilities.title }}
-          VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }}
+          VULN_TITLE: ${{ matrix.vulnerabilities.title || '' }}
+          VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }}
-          VULN_TITLE: ${{ matrix.vulnerabilities.title }}
-          VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }}
+          VULN_TITLE: ${{ matrix.vulnerabilities.title || '' }}
+          VULN_MAIN_DEP_NAME: ${{ matrix.vulnerabilities.main_dep_name }}
           VULN_MAIN_DEP_PATH: ${{ matrix.vulnerabilities.main_dep_path }}
           NODEJS_STREAM: ${{ inputs.nsolidStream }}

diff --git a/.github/workflows/create_issue.sh b/.github/workflows/create_issue.sh
@@ -21,6 +21,7 @@ VULN_URL="${VULN_URL}"
 VULN_DEP_NAME="${VULN_DEP_NAME}"
 VULN_DEP_VERSION="${VULN_DEP_VERSION}"
 VULN_SOURCE="${VULN_SOURCE}"
+VULN_TITLE="${VULN_TITLE:-}"
 VULN_MAIN_DEP_NAME="${VULN_MAIN_DEP_NAME:-}"
 VULN_MAIN_DEP_PATH="${VULN_MAIN_DEP_PATH:-}"
 NODEJS_STREAM="${NODEJS_STREAM}"
@@ -35,6 +36,12 @@ ISSUE_BODY="A new vulnerability for ${VULN_DEP_NAME} ${VULN_DEP_VERSION} was fou
 Vulnerability ID: ${VULN_ID}
 Vulnerability URL: ${VULN_URL}"
 
+# Add vulnerability title if available
+if [ -n "${VULN_TITLE}" ]; then
+    ISSUE_BODY="${ISSUE_BODY}
+Vulnerability Title: ${VULN_TITLE}"
+fi
+
 # Add npm-specific info if applicable
 if [ "${VULN_SOURCE}" = "npm" ] && [ -n "${VULN_MAIN_DEP_NAME}" ]; then
     ISSUE_BODY="${ISSUE_BODY}

diff --git a/.github/workflows/format_matrix.py b/.github/workflows/format_matrix.py
@@ -23,6 +23,11 @@ def generate_labels_for_vulnerability(vuln: Dict[str, Any], nsolid_stream: str)
     if vuln.get("source") == "npm":
         labels.append("NPM")
 
+    # Add main dependency name as label if present
+    main_dep_name = vuln.get("main_dep_name")
+    if main_dep_name and main_dep_name != "null":
+        labels.append(main_dep_name)
+
     # Add severity label if available
     severity = vuln.get("severity")
     if severity and severity != "null":
@@ -70,6 +75,9 @@ def build_vulnerability_matrix(vulnerabilities_data: Dict[str, Any], nsolid_stre
             matrix_entry["severity"] = vuln["severity"]
         if "via" in vuln and vuln["via"]:
             matrix_entry["via"] = vuln["via"]
+            # Extract title from via array for display purposes
+            if isinstance(vuln["via"], list) and vuln["via"]:
+                matrix_entry["title"] = vuln["via"][0] if vuln["via"][0] else ""
-            # Extract title from via array for display purposes
-            if isinstance(vuln["via"], list) and vuln["via"]:
-                matrix_entry["title"] = vuln["via"][0] if vuln["via"][0] else ""
+            # Extract title from via array for display purposes
+            if isinstance(vuln["via"], list) and vuln["via"]:
+                matrix_entry["title"] = str(vuln["via"][0]) if vuln["via"][0] else ""
-            # Extract title from via array for display purposes
-            if isinstance(vuln["via"], list) and vuln["via"]:
-                matrix_entry["title"] = vuln["via"][0] if vuln["via"][0] else ""
+            # Extract title from via array for display purposes
+            if isinstance(vuln["via"], list) and vuln["via"]:
+                matrix_entry["title"] = str(vuln["via"][0]) if vuln["via"][0] else ""
         if "main_dep_name" in vuln and vuln["main_dep_name"] is not None:
             matrix_entry["main_dep_name"] = vuln["main_dep_name"]
         if "main_dep_path" in vuln and vuln["main_dep_path"] is not None:

diff --git a/dep_checker/npm_audit.py b/dep_checker/npm_audit.py
@@ -21,7 +21,7 @@
 # You can also use folder names for broader exclusions (e.g., "test" excludes all test folders)
 EXCLUDE_PATHS = [
     # Specific path exclusions
-    "deps/v8/tools/turbolizer",
+    "deps/v8/tools",
 
     # General folder name exclusions (will match any folder with this name)
     "test",
@@ -179,37 +179,80 @@ def parse_audit_results(self, audit_data: Dict, package_dir: Path, vulnerability
                         severity = vuln_data.get("severity", "unknown")
                         via = vuln_data.get("via", [])
                         fix_available = vuln_data.get("fixAvailable", False)
+                        range_info = vuln_data.get("range", "unknown")
 
-                        # Handle different via formats
+                        # Handle different via formats - create separate vulnerabilities for each advisory
                         if isinstance(via, list) and via:
-                            # Get the first vulnerability ID from via
-                            first_via = via[0]
-                            if isinstance(first_via, dict):
-                                vuln_id = first_via.get("source", f"npm-{vuln_name}")
-                                url = first_via.get("url", f"https://npmjs.com/advisories/{vuln_id}")
-                            else:
-                                vuln_id = str(first_via)
-                                url = f"https://npmjs.com/advisories/{vuln_id}"
+                            for via_item in via:
+                                if isinstance(via_item, dict):
+                                    # Extract individual advisory information
+                                    advisory_id = via_item.get("source")
+                                    advisory_url = via_item.get("url")
+                                    advisory_title = via_item.get("title", "")
+                                    advisory_severity = via_item.get("severity", severity)
+
+                                    # Use advisory ID as vulnerability ID, fallback to package name
+                                    if advisory_id:
+                                        vuln_id = str(advisory_id)
+                                    else:
+                                        vuln_id = f"npm-{vuln_name}"
+
+                                    # Use proper GitHub advisory URL if available
+                                    if advisory_url:
+                                        url = advisory_url
+                                    else:
+                                        url = f"https://github.com/advisories?query={vuln_name}"
+
+                                    # Create vulnerability with advisory-specific information
+                                    vulnerability = vulnerability_class(
+                                        id=vuln_id,
+                                        url=url,
+                                        dependency=vuln_name,
+                                        version=str(range_info),
+                                        source="npm",
+                                        severity=advisory_severity,
+                                        via=[advisory_title] if advisory_title else [],
+                                        fix_available=bool(fix_available),
+                                        main_dep_name=main_dep_name,
+                                        main_dep_path=main_dep_path
+                                    )
+                                    vulnerabilities.append(vulnerability)
+                                else:
+                                    # Handle string via items (legacy format)
+                                    vuln_id = str(via_item)
+                                    url = f"https://github.com/advisories?query={vuln_id}"
+
+                                    vulnerability = vulnerability_class(
+                                        id=vuln_id,
+                                        url=url,
+                                        dependency=vuln_name,
+                                        version=str(range_info),
+                                        source="npm",
+                                        severity=severity,
+                                        via=[str(via_item)],
+                                        fix_available=bool(fix_available),
+                                        main_dep_name=main_dep_name,
+                                        main_dep_path=main_dep_path
+                                    )
+                                    vulnerabilities.append(vulnerability)
                         else:
+                            # No via information, create basic vulnerability
                             vuln_id = f"npm-{vuln_name}"
-                            url = f"https://npmjs.com/package/{vuln_name}"
-
-                        # Get version range
-                        range_info = vuln_data.get("range", "unknown")
-
-                        vulnerability = vulnerability_class(
-                            id=vuln_id,
-                            url=url,
-                            dependency=vuln_name,
-                            version=str(range_info),
-                            source="npm",
-                            severity=severity,
-                            via=[str(v) for v in via] if via else [],
-                            fix_available=bool(fix_available),
-                            main_dep_name=main_dep_name,
-                            main_dep_path=main_dep_path
-                        )
-                        vulnerabilities.append(vulnerability)
+                            url = f"https://github.com/advisories?query={vuln_name}"
+
+                            vulnerability = vulnerability_class(
+                                id=vuln_id,
+                                url=url,
+                                dependency=vuln_name,
+                                version=str(range_info),
+                                source="npm",
+                                severity=severity,
+                                via=[],
+                                fix_available=bool(fix_available),
+                                main_dep_name=main_dep_name,
+                                main_dep_path=main_dep_path
+                            )
+                            vulnerabilities.append(vulnerability)
 
                     except Exception as e:
                         logger.error(f"Error parsing vulnerability {vuln_name}: {e}")