Feature Proposal: Composition Analysis composite health score for dependencies

Problem to solve

When Dependency Scanning identifies vulnerabilities during a scan users need to triage these vulnerabilities. The Developer persona often needs to understand the impact of the vulnerability on the project and determine how to mitigate. This research involves having context of the project as well as the dependency that was flagged as vulnerable. Users need to dig into the dependency in question and make a remediation decision (ignore, upgrade, or remove). To aide in this decision making, we should provide more insight to the user regarding the dependency.

Proposal

groupcomposition analysis should offer a composite health score for dependencies. This would be a scale from 0 to 100, where 0 is not health and 100 is health. This score should weight different aspects of the dependency according to importance. Some initial thoughts on characteristics to include in this calculation are:

• Usage - how popular is this dependency globally? Driven off the number of downloads
• Activity - is this dependency maintained?
• Release Cadence - if a vulnerability is identified, how quickly will it be resolved?
• Has Vulnerabilities - if any version of a package has vulnerabilities
• Has Exploits - if any version of this package has had an exploit

I am sure there are other characteristics that we should consider, but those are some initial thoughts.

Intended users

Personas are described at https://about.gitlab.com/handbook/product/personas/

• Delaney (Development Team Lead)
• Amy (Application Security Engineer)
• Alex (Security Operations Engineer)

Feature Usage Metrics

None.

Does this feature require an audit event?

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.