Update fingerprinting method to prevent findings from re-opening under a new location
Glossary
-
canonical name: The human-readable name used to refer to when installing the dependency. An example of this is the usage of
Django
instead ofdjango
, the former being the canonical name. -
normalized name: The machine-readable name used when installing a dependency name. An example of this is
django
instead ofDjango
, the former being the normalized name. -
drift: This is that act of a vulnerability appearing as resolved but opening again elsewhere. An example of this would be a vulnerability for
Django CVE-2023-00001
appearing as resolved, and a new one opening up asdjango CVE-2023-00001
.
Why are we doing this work
During the implementation of Enable development dependency scanning in pipen... (#375505 - closed), it was discovered that using the normalized names of a dependency in a vulnerability would create a duplicate entry if the vulnerability initially used the canonical name.
This is a critical change because a change like this would cause the vulnerabilities to drift because of name changes that are immaterial. For example, if we look at a Python package, we'll find that both Django
and django
resolve to the same package, so a dependency change here should not produce a duplicate finding. Vulnerability drift leads to noise in the vulnerability report, and blurs the vulnerability histories, so it should be avoided whenever possible.
Relevant links
Non-functional requirements
-
Documentation: It would be beneficial to update the Dependency Scanning documentation so that it highlights how we identify unique vulnerabilities with the updated fingerprinting technique. -
Feature flag: -
Performance: -
Testing: We will need to test that a project does not close and reopen a finding when a package changes information that's immaterial.
Implementation plan
Verification steps
Edited by Oscar Tovar