Skip to content

Show `vulnerable package` on the finding details page

Release notes

Problem to solve

As a developer checking a vulnerable dependency, I want to know what are the top-level dependencies causing the vulnerable component to be installed in my project, so that I can better assess the threat and possibly take action.

It's important that I see all dependency paths to establish in which contexts the security flaw can be exploited, and better assess the risk.

Proposal

Show the vulnerable package. #348530 (closed)

  • Update Gemnasium to add the name and version of the affected as a single vulnerability details field (string). Technically, this information is already available in the location field, and repeating it in the details field will make it visible in the Vulnerability Page without changing the backend or the frontend.
  • Available for all package managers supported by Gemnasium (gemnasium, gemnasium-maven, or gemansium-python).
  • gemnasium, gemnasium-maven, and gemansium-python are all updated.

We need to add to the report to each vulnerability a details field. Example:

"vulnerabilities": [
    {
      "category": "dependency_scanning",
      "name": "Vulnerabilities in libxml2123",
      "message": "Vulnerabilities in libxml2 in nokogiri",
      "description": "  The version of libxml2 packaged with Nokogiri (CVE-2017-9049, CVE-2017-9050)",
      "cve": "rails/Gemfile.lock:nokogiri:gemnasium:06565b64-486d-4326-b906-890d9915804d1234",
      "severity": "High",
      "solution": "Upgrade to latest version.",
      "scanner": {
        "id": "gemnasium",
        "name": "Gemnasium"
      },
      "details": {
         "package": {
            "name": "Vulnerable package",
            "type": "text",
            "value": "nokogiri:1.8.0"
          }
      },
      "location": {
        "file": "rails/Gemfile.lock",
        "dependency": {
          "package": {
            "name": "nokogiri"
          },
          "version": "1.8.0"
        }
      },

Implementation plan

  1. Add to Vulnerability a generic struct Details.
  2. Update DependencyScanning ToVulnerability to fill Details with DetailsPackage struct that should contain next data: "name": "Vulnerable package", "type": "text", "value": {location.package:location.version}
  3. Update tests
  4. release new version of report
  5. for each analyzer in {gemnasium,gemnasium-maven,gemnasium-python}:
  6. use new report version in go.mod
  7. regenerate tests in qa/expect to include new details field
  8. release new analyzer version

Further details

UX

Availability & Testing

Is this a cross-stage feature?

Category:Vulnerability Management

Links / references

Edited by Tetiana Chupryna