Design: Post-MVC Group/Sub-group level Dependency List
Proposal
Extend the functionality and usability of the Group-level Dependency List MVC to include the following requirements:
- Introduce a column for the License (filtering by license included in Dependency list filtering and searching (&8089))
- Consider including license type, copyright, homepage, and author; see Enrich license data reported in the dependency ... (#431919) (may need further problem validation)
- Introduce vulnerabilities column, where vulnerabilities are listed using "X critical, X high, and X other" pattern (filtering by severity included in Dependency list filtering and searching (&8089))
- When vulnerability count is clicked, navigate to the project-level Vulnerability Report with component filter auto-applied.
- Introduce sorting by severity (components with the most critical vulnerabilities first)
- Introduce an info badge with the most recent version of that component currently available, so users can see how far behind their component is from the most recent. On hover, it would list how many more recent versions are available.
User stories
As a sec engineer, I want to...
- ...see if we're using a dependency in an insecure way - without it needing to have any vulnerabilities.
- ...see the minimum version I need to upgrade to in order to make any associated vulnerabilities go away.
- ...see where there's a large number of vulns associated with a component
- ...answer why we have so many different versions of one component. (Can we consolidate them?)
- ...search for a specific dependency to see if we use this and where
- ...compare the current dependency version with the most recent version - how out of date is this dependency?
- ...know what I don't know. For example, I search for
Log4j
and nothing comes up - is this because I don't use it or because dependency scanning isn't set up in some projects, so we're using it and I don't know about it?
Questions
- How might we incorporate the problem to solve in Automatically notify and update dependencies?
We are working to automatically remediate dependencies with a security vulnerability, but there is also value in notifying users and potentially automatically updating deps which are out of date.
This is helpful for a few reasons:
- If you let a dependency get very far out of date, upgrading can be time intensive and risky.
- For some libraries, there could be security updates but they are not generating CVE's or getting the some feeds.
It would be great to have a service which performed this function, and not just for dependency versions with a published vulnerability.
See related epic.
Adding this user story:
- As a sec engineer, I want the tool to automatically create an MR to update a dependency when one is available, so that I can avoid a lot of manual work in finding which ones are out of date and having to create the MR myself.
Future iteration
- If a license security policy is in place, show a violation icon next to the license name. When clicked, this badge should link to the policies page.
Edited by Becka Lippert