Show `vulnerable package` on the finding details page
Release notes
Problem to solve
As a developer checking a vulnerable dependency, I want to know what are the top-level dependencies causing the vulnerable component to be installed in my project, so that I can better assess the threat and possibly take action.
It's important that I see all dependency paths to establish in which contexts the security flaw can be exploited, and better assess the risk.
Proposal
Show the vulnerable package. #348530 (closed)
- Update Gemnasium to add the name and version of the affected as a single vulnerability
details
field (string). Technically, this information is already available in thelocation
field, and repeating it in thedetails
field will make it visible in the Vulnerability Page without changing the backend or the frontend. - Available for all package managers supported by Gemnasium (gemnasium, gemnasium-maven, or gemansium-python).
- gemnasium, gemnasium-maven, and gemansium-python are all updated.
We need to add to the report to each vulnerability
a details
field. Example:
"vulnerabilities": [
{
"category": "dependency_scanning",
"name": "Vulnerabilities in libxml2123",
"message": "Vulnerabilities in libxml2 in nokogiri",
"description": " The version of libxml2 packaged with Nokogiri (CVE-2017-9049, CVE-2017-9050)",
"cve": "rails/Gemfile.lock:nokogiri:gemnasium:06565b64-486d-4326-b906-890d9915804d1234",
"severity": "High",
"solution": "Upgrade to latest version.",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"details": {
"package": {
"name": "Vulnerable package",
"type": "text",
"value": "nokogiri:1.8.0"
}
},
"location": {
"file": "rails/Gemfile.lock",
"dependency": {
"package": {
"name": "nokogiri"
},
"version": "1.8.0"
}
},
Implementation plan
- Add to Vulnerability a generic struct
Details
. - Update DependencyScanning ToVulnerability to fill
Details
withDetailsPackage
struct that should contain next data: "name": "Vulnerable package", "type": "text", "value": {location.package:location.version} - Update tests
- release new version of report
- for each analyzer in {gemnasium,gemnasium-maven,gemnasium-python}:
- use new report version in go.mod
- regenerate tests in qa/expect to include new details field
- release new analyzer version
Further details
Availability & Testing
Is this a cross-stage feature?
Category:Vulnerability Management
Links / references
Edited by Tetiana Chupryna