Bring parity to CSV Export and API for Transitive Dependencies
Problem to solve
There is a discrepancy between the way customers can view transitive dependencies if they are using the UI in comparison to our CSV export or API. Customers should be able to get the same information whether they are using the UI, CSV export, or APIs to interact with dependency scanning results. Direct customer quote:
It is currently impossible to distinguish a vulnerability of a direct dependency from a vulnerability introduced by a transitive dependency when using the API or the CSV export functionality, since the shortest path argument is not available in the GraphQL API or the CVS export. This is only possible from the web console. This makes aggregated reporting on a group or subgroup level difficult.
Proposal
Enable access to the same transitive dependency data via CSV export and API