Add vulnerable dependency path to Dependency Scanning report schema
Problem to solve
The Dependency Scanning report format doesn't make it possible to tell how a transient dependency affected by a vulnerability relates to the top-level dependencies users maintain, in the project dependency files.
Intended users
User experience goal
Proposal
Extend the Dependency Scanning report schema, and add new JSON fields so that the relationship b/w a transient vulnerable dependencies and top-level dependencies can be described.
The dependency path can be added to the definition of a dependency. This definition is currently used in the location of a Dependency Scanning vulnerability, and in the definition of a dependency file.
Implementation plan
-
open a MR to update the Dependency Scanning report schema and/or definitions of the Security report schema, and release a new version for the Dependency Scanning report schema
Further details
The new JSON fields will be leveraged by the gemnasium analyzer when reporting vulnerabilities, and processed by the backend and frontend in order to show the dependency path to vulnerable dependencies, as described in #227620 (closed). It should be possible to report at least one dependency path per vulnerable dependency.
Permissions and Security
N/A
Documentation
We might have to document the new fields in the Dependency Scanning JSON format docs unless we decide to Remove Response JSON format samples from Secure report docs.
Availability & Testing
N/A
What does success look like, and how can we measure that?
Dependency Scanning analyzer can accurately report where the vulnerable dependency is located in the dependency graph.
What is the type of buyer?
Is this a cross-stage feature?
No