Consider adding more details about upstream vulnerabilities to Vulnerability Report

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

In this Zendesk ticket (internal link only), the customer states that the Vulnerability Report shows a vulnerability in an upstream library used by Gradle: SQLite JDBC. They report that remediation would have been much easier if the Vulnerability Report contained more information about how to find and fix the vulnerability with Gradle.

Here is some more information, provided by the customer:

The main issue is the time spent looking into each package to identify the one that triggered the package vulnerability. Imagine we have 10+ dependencies in our code, and the report indicates a vulnerability in example.vulnerable.package. However, in our dependency file (build.gradle), we haven't explicitly declared that dependency. It's possible that one of those 10+ dependencies has example.vulnerable.package as a sub-dependency that we're not aware of.

If the scan you perform checks each package in the dependency file (build.gradle) individually, it would be very helpful if the scan could highlight the line in the dependency file (or provide any other log detailing which package has this dependency). This would make it easier to understand whether we need to upgrade, downgrade, or implement our own solution without the vulnerability. Think of it like an exception where the stack trace reveals the main line of code that caused the exception. This type of information would save us a lot of time in reviewing each package in detail to examine their dependencies.