Skip to content

Add transverse dependency test fixture

Lucas Charles requested to merge add-transverse-dependency-test into master

What does this MR do?

This is a placeholder to demonstrate demonstrates our current handling of transverse dependencies. This could be merged as-is to accurately showcase our functionality in handling of vulnerable dependencies of dependencies but it's primarily here to show a "point of departure" as we re-evaluate how we represent transverse dependency with the upgrade of retire.js to >= 2.x, see !7 (merged)

❯ _gl_diff_reports test/expect/gl-dependency-scanning-report.json test/fixtures/gl-dependency-scanning-report.json
--- /dev/fd/63	2019-04-08 11:17:31.000000000 -0700
+++ /dev/fd/62	2019-04-08 11:17:31.000000000 -0700
@@ -1,3 +1,5 @@
 [
-  "sast-test-npm/package.json:ansi2html:npm:51"
+  "sast-test-npm/package.json:ansi2html:npm:51",
+  "sast-test-npm/package.json:send:npm:56",
+  "sast-test-npm/package.json:ms:npm:46"
 ]
ERROR: 2 new vulnerabilities detected

Vulnerability details

I was unable to find a package that is not currently vulnerable but has a vulnerable dependency, so we will have to consider both in this case.

  • Vulnerable package.json packages: ansi2html and send.
  • Vulnerable node_module packages: ms (a dependency of send)

Other than a lack of deduping that's occurring in the updated fixture, these 3 vulnerabilities are identified. The important topic is the representation of ms.

What are the relevant issue numbers?

https://gitlab.com/gitlab-org/gitlab-ee/issues/6705 https://gitlab.com/gitlab-org/gitlab-ee/issues/8899

Does this MR meet the acceptance criteria?

Edited by Lucas Charles

Merge request reports