Dependency Scanning - Managing same vulnerability in high module maven projects
Release notes
Managing vulnerabilities from dependencies in a large (multi-module) maven project is unfriendly for the user
Problem to solve
When a large project with dozens of modules has a dependency with a vulnerability, a vulnerability is created by dependency scanning for every module, resulting in hundreds of "vulnerabilities" derived from a dozen of dependencies. There is no way to easily manage these vulnerabilities other than searching on multiple pages (only 100 entries are shown on the "vulnerability report" page).
The "group by" drop-down only allows to group by severity and status, not id or similar.
Proposal
Allow to group by CVE id or similar. This way no information is lost (which module has which dependency) but it is easier to manage the vulnerabilities if the same action is required regardless of module.
Intended users
Software Developer & Security Operations Engineer
Feature Usage Metrics
Does this feature require an audit event?
No, managing vulnerabilities is already tracked