Open Security Avisories Insights dashboard includes archived repositories #28180
Unanswered
nicorikken
asked this question in
Code Security
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We archive repositories that are no longer used in production but are mainly kept for 'archival purposes' as the name implies. The 'Insights' overview lists 'Open Security Advisories' in the 'Dependencies' tab. This is a helpful overview to see what dependencies have known vulnerabilities. We use this dashboard to keep an eye on the security status of our projects, and if we spot a security advisory we can find the related projects and address the issue there.
Unfortunately dependencies of archived repositories are included in the dashboard. As the dependencies are listed by version number, this results in a lot of 'false positive' security advisories for outdated dependencies for which we have no intention to update them. And there is no other way to check off dependencies in the dashboard, nor do we want to.
Our desired solution would be an option that prevents dependencies from archived repositories from showing up in the 'Dependencies' tab, or at least the 'Open Security Advisories' overview.
This issue seems related to #19607 but that issue focuses on Dependabot Alerts, whereas my remark is about the Open Security Advisories in the Dependencies tab of Insights, so based on dependencies rather than Dependabot alerts.
Beta Was this translation helpful? Give feedback.
All reactions