[Skims/Integrates] Show safe versions of a dependency in SCA
Problem to solve
SCA reports which dependencies are vulnerable. It could also show which versions of those dependencies are safe as a recommendation to guide the stakeholders to fix the vulnerability.
Intended users
ARM and skims users
Proposal
From sca the versions of the dependency files are extracted and compared with the vulnerable versions of the advisories, when these versions match it is known which advisories are related to a certain dependency. Therefore, by knowing which vulnerable versions are matched, by definition we should also be able to calculate which versions are safe and display them to the interested user.
Steps
-
Get safe version range of a library by intersecting and inverting all vulnerable ranges in their corresponding existing advisories -
Add safe versions to the sca_scheduler, generating new json files in the bucket that include the safe version for each library. -
When reporting a SCA vulnerability, add the safe_version to the SARIF report as additional information -
Add the safe version attribute to the VulnerabilityAdvisory Enum on integrates -
Show the safe version as part of the vulnerability info -
Run a migration to populate the safe version of all open SCA machine reports
Edited by Fabio Lagos