Determine if a vulnerable library call is used in an app
Note to wider-community, sales, support and customer success
As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Problem to solve
Dependency Scanning can tell you if a library that is included in your app is vulnerable to a known attack.
This is great, but normally just a function in the library is vulnerable, and everything else is still safe to use. Most of the time, just a few functions of a library are used. And the cost of upgrading the library may be relevant.
If we can detect which is the vulnerable library call (instead of just the library), and if that call is used or not in the app, we can provide better information and allow people to prioritize fixes for libraries that can really create a security flaw.
Further details
Inspired by https://snyk.io/blog/introducing-open-source-security-runtime-monitoring
Proposal
When a library function is vulnerable, detect if the given function is used in the application, and provide this information to allow better prioritization.
What does success look like, and how can we measure that?
How many vulnerabilities have this information available