OSV Scanner: Vulnerabilities in Grafana Dependencies Not Filtered When Multiple Versions Present

[academo]

OSV scanner reports vulnerabilities in packages that should be filtered out because they are dependencies of Grafana packages, but the filtering fails when multiple versions of a Grafana package exist in the lock file.

The CacheGrafanaPackages() function in pkg/analysis/passes/osvscanner/cache-grafana-packages.go uses packageExists() which performs a name-only lookup. When multiple versions of the same Grafana package exist in the parsed packages list, it always expands the first version it finds, not necessarily the one actually used by the project.

Example

In esnet-matrix-panel with package.json:

{
  "@grafana/data": "latest",
  "@grafana/runtime": "9.3.8"
}

The lock file contains two versions of @grafana/data:

• 9.5.1 (from @grafana/data: "latest") → has dompurify as a direct dependency
• 9.3.8 (nested under @grafana/runtime@9.3.8) → does NOT have dompurify

The cache builder finds 9.3.8 first and expands only that version:

@grafana/data@9.3.8: 60 dependencies (no dompurify)
@grafana/data@9.5.1: 22 dependencies (includes dompurify)

Result: dompurify@2.4.5 vulnerabilities are reported even though it comes from @grafana/data@9.5.1 and should be filtered.