Indirect dependency update discussion
See SASTBot dependency updates from indirects in ma... (#443248 - closed) • Jason Leasure • 16.10.
CA helpfully reports vulns in Go project dependencies that can be remedied with a version update. When the vuln is in an indirect dependency that happens to be a direct dependency of a gitlab managed project, it would be better to make the change there.
That said, it has happened that projects have received updates to indirect dependencies that could have been made "upstream".
I've lashed up a tool to ferret out "micromanaged" dependencies and have computed the following suggestions to propagate these changes upstream, where they presumably belong:
suggest gitlab.com/gitlab-org/security-products/analyzers/command/v2 require github.com/stretchr/testify v1.8.4
suggest gitlab.com/gitlab-org/security-products/analyzers/command/v2 require gitlab.com/gitlab-org/security-products/analyzers/ruleset v1.4.1
suggest gitlab.com/gitlab-org/security-products/analyzers/common/v3 require github.com/stretchr/testify v1.8.4
suggest gitlab.com/gitlab-org/security-products/analyzers/report/v4 require github.com/stretchr/testify v1.8.4
suggest gitlab.com/gitlab-org/security-products/analyzers/report/v4 require gitlab.com/gitlab-org/security-products/analyzers/ruleset v1.4.1
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require github.com/Microsoft/go-winio v0.5.2
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require github.com/ProtonMail/go-crypto v0.0.0-20220711121315-1fde58898e96
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require github.com/go-git/go-git/v5 v5.11.0
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require github.com/kevinburke/ssh_config v1.2.0
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require github.com/pelletier/go-toml v1.9.5
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require github.com/sergi/go-diff v1.3.1
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset require golang.org/x/net v0.0.0-20220708220712-1185a9018129
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require github.com/Microsoft/go-winio v0.5.2
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require github.com/ProtonMail/go-crypto v0.0.0-20220711121315-1fde58898e96
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require github.com/go-git/go-git/v5 v5.11.0
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require github.com/kevinburke/ssh_config v1.2.0
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require github.com/pelletier/go-toml v1.9.5
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require github.com/sergi/go-diff v1.3.1
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
suggest gitlab.com/gitlab-org/security-products/analyzers/ruleset/v2 require golang.org/x/net v0.0.0-20220708220712-1185a9018129
Note that some of these changes may yet be indirect in these upstream projects.
Can/should we work this into the SASTbot?
Maybe CA could include the upstream packages (e.g. with git mod why
)?