Dependabot Security Alerts should show the full path to the vulnerable dependency #114377
Unanswered
viluon
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
The dependencies of complex Gradle projects can run very deep and employ vulnerable plugins that don't introduce any runtime problems. Triaging how exactly a project depends on a vulnerable package is difficult -- default Gradle tooling is insufficient to display the full dependency graph and searching through it is cumbersome. Some packages are depended upon by multiple paths. Some packages appear in the dependency graph with multiple versions.
In general, one should be able to mark a dependency as dev-only if all of the paths leading to it pass through dev dependencies. However, to do this, one needs to manually investigate the dependency graph for every open alert (not to mention the functionality to change the dependency scope of a package is missing from GitHub's interface).
Things would be far easier if security alerts included the paths through which a dependency is introduced into the project.
Beta Was this translation helpful? Give feedback.
All reactions