Feature Proposal: Contextual Patching for Dependency Scanning
Problem to solve
SCA users suffer from alert fatigue. A single Dependency Scan can return more vulnerabilities than a team can handle in a single sprint / milestone. The groupcomposition analysis recognizes this and want to consider how we can reduce the overall noise associated with Dependency Scanning.
One mechanism to reduce noise is to provide more insight into how a Dependency is used within a project. Specifically, if we can understand the relationship a given dependency has within a project, we can likely reduce the workload for developers that are performing mitigations.
Proposal
The initial thinking is to build a graph to show the CVEs that might be eliminated by upgrading a framework version or some other change within the project.
Intended users
Does this feature require an audit event?
No
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.