Add transverse dependency test fixture
What does this MR do?
This is a placeholder to demonstrate demonstrates our current handling of transverse dependencies. This could be merged as-is to accurately showcase our functionality in handling of vulnerable dependencies of dependencies but it's primarily here to show a "point of departure" as we re-evaluate how we represent transverse dependency with the upgrade of retire.js
to >= 2.x
, see !7 (merged)
❯ _gl_diff_reports test/expect/gl-dependency-scanning-report.json test/fixtures/gl-dependency-scanning-report.json
--- /dev/fd/63 2019-04-08 11:17:31.000000000 -0700
+++ /dev/fd/62 2019-04-08 11:17:31.000000000 -0700
@@ -1,3 +1,5 @@
[
- "sast-test-npm/package.json:ansi2html:npm:51"
+ "sast-test-npm/package.json:ansi2html:npm:51",
+ "sast-test-npm/package.json:send:npm:56",
+ "sast-test-npm/package.json:ms:npm:46"
]
ERROR: 2 new vulnerabilities detected
Vulnerability details
I was unable to find a package that is not currently vulnerable but has a vulnerable dependency, so we will have to consider both in this case.
- Vulnerable
package.json
packages:ansi2html
andsend
. - Vulnerable
node_module
packages:ms
(a dependency ofsend
)
Other than a lack of deduping that's occurring in the updated fixture, these 3 vulnerabilities are identified. The important topic is the representation of ms
.
What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab-ee/issues/6705 https://gitlab.com/gitlab-org/gitlab-ee/issues/8899
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer