Show one `introduced package` on the finding details page

Release notes

Problem to solve

As a developer checking a vulnerable dependency, I want to know what are the top-level dependencies causing the vulnerable component to be installed in my project, so that I can better assess the threat and possibly take action.

It's important that I see all dependency paths to establish in which contexts the security flaw can be exploited, and better assess the risk.

Proposal

Show one introduced package. #348531 (closed)

• Update Gemnasium to infer one introduced package from the shortest dependency path, and to add it as a single vulnerability details field (string).
• There's nothing to show when the vulnerable package is the introduced package.
• Available for Sbt, NuGet, and Yarn.
• gemnasium and gemnasium-maven are updated.

Further details

UX

Implementation plan

• gemnasium
  • update convert/file_converter.go to use the path used by shortestPath and pick the first item in that node list
  • update convert/vulnerability_converter.go to add a DetailsText for the introducer package
  • release gemnasium
• update gemnasium-python, gemnasium-maven
  • add new report version to go.mod
  • checkout the new version of gemnasium
  • update expected reports with new data
  • release new version of analyzer

Availability & Testing

• unit tests
  • gemnasium
• integration tests
  • gemnasium
  • gemnasium-python
  • gemnasium-maven

Is this a cross-stage feature?

Category:Vulnerability Management

Links / references