Show one `introduced package` on the finding details page
Release notes
Problem to solve
As a developer checking a vulnerable dependency, I want to know what are the top-level dependencies causing the vulnerable component to be installed in my project, so that I can better assess the threat and possibly take action.
It's important that I see all dependency paths to establish in which contexts the security flaw can be exploited, and better assess the risk.
Proposal
Show one introduced package. #348531 (closed)
- Update Gemnasium to infer one introduced package from the shortest dependency path, and to add it as a single vulnerability
details
field (string). - There's nothing to show when the vulnerable package is the introduced package.
- Available for Sbt, NuGet, and Yarn.
- gemnasium and gemnasium-maven are updated.
Further details
Implementation plan
-
gemnasium
-
update convert/file_converter.go
to use the path used by shortestPath and pick the first item in that node list -
update convert/vulnerability_converter.go
to add aDetailsText
for the introducer package -
release gemnasium
-
-
update gemnasium-python
,gemnasium-maven
-
add new report version to go.mod
-
checkout the new version of gemnasium
-
update expected reports with new data -
release new version of analyzer
-
Availability & Testing
- unit tests
-
gemnasium
-
- integration tests
-
gemnasium
-
gemnasium-python
-
gemnasium-maven
-
Is this a cross-stage feature?
Category:Vulnerability Management
Links / references
Edited by Igor Frenkel