Evaluate if we can deliver text only dependency path information

Based on discussions here This new MVC text only was made in this issue here

to do this work we need to know 4 pieces of information

1. Vulnerable package
2. Introduced package
3. shortest path
4. longest path

Consider the outcome of the data additions for dependencies research here - and let me know how many issues we need in order to add all four of those data points, and what pre-requisites and blockers you know of that will prevent us from starting to add those 4 data points.

Additionally do you see other information that is needed that we don't yet have to accomplish this issue here

Outcome

In the MVC, we deliver text-only dependency path information in the vulnerability page by leveraging:

• The vulnerability details field of the Dependency Scanning report.
• The dependency graph Gemnasium builds in memory. This graph is already available for NuGet, Sbt, and Yarn projects, and is already used to generate the dependency_path field of the Dependency Scanning report. (This is one the shortest dependency paths to the vulnerable dependency).

Issues for the MVC:

1. Show the vulnerable package. #348530 (closed)
   • Update Gemnasium to add the name and version of the affected as a single vulnerability details field (string). Technically, this information is already available in the location field, and repeating it in the details field will make it visible in the Vulnerability Page without changing the backend or the frontend.
   • Available for all package managers supported by Gemnasium (gemnasium, gemnasium-maven, or gemansium-python).
   • gemnasium, gemnasium-maven, and gemansium-python are all updated.
2. Show one introduced package. #348531 (closed)
   • Update Gemnasium to infer one introduced package from the shortest dependency path, and to add it as a single vulnerability details field (string).
   • There's nothing to show when the vulnerable package is the introduced package.
   • Available for Sbt, NuGet, and Yarn.
   • gemnasium and gemnasium-maven are updated.
3. Show one shortest path. #348532 (closed)
   • Update Gemnasium to add the shortest path to the vulnerability details field of the report. This repeats the existing dependency_path field. The value of the details can either be a single string or an array of strings.
   • There's nothing to show when the vulnerable package is the introduced package, or its direct dependency.
   • Available for Sbt, NuGet, and Yarn.
   • gemnasium and gemnasium-maven are updated.

Possible post-MVC issues:

• Extend dependency graph support to other package managers, beyond Sbt, NuGet, and Yarn. (The vulnerable package, introduced package, short path details fields are immediately available for any package manager for which Gemnasium builds an internal dependency graph.)
• Introduce a new dependency graph artifact, created by Gemnasium and parsed by the Rails backend.
• Present the graph that connects a vulnerable package to the project itself, in the UI. This graph could be interactive, presented with colors, etc.
• Show one longest path to the vulnerable package, or some kind of complexity score that gives a sense of how much the project is connected to the vulnerable package.
• Show all introduced packages in the Vulnerability Page. Update Gemnasium to infer all the introduced packages from the internal dependency graph, and to add them to the vulnerability details field.

See thread.