Show all paths to a vulnerable dependency
Problem to solve
As a developer checking a vulnerable dependency, I want to know what are the top-level dependencies causing the vulnerable component to be installed in my project, so that I can better assess the threat and possibly take action.
It's important that I see all dependency paths to establish in which contexts the security flaw can be exploited, and better assess the risk.
This is a follow-up issue to #227620 (closed) which is about showing one single path connecting the vulnerable dependency to a top-level dependency.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
User experience goal
Proposal
Show the paths connecting a (vulnerable) dependency to top-level dependencies either as a graph or a list.
TBD: Choose b/w showing of paths and showing a dependency graph.
Show the paths where there's enough space for that:
- in the vulnerability object page (Security Dashboard), after implementing #219093 (closed)
- in the vulnerability modal view (Merge Request), after implementing #219095 (closed)
- in a pop-in window, when clicking on a component location (Dependency List)
TBD: Specify in which contexts the multiple paths are show.
The Dependency Scanning report format needs to be revisited so that it can carry the full dependency graph of any lock file (or equivalent). Alternatively, we might decide to introduce a new report that represents the Bill of Materials, and contains the full dependency graph.
TBD: Decide if we extend the Dependency Scanning report format or introduce a new type of artifact.
Further details
Permissions and Security
N/A
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
No