Does dependabot detect vulnerabilities in transitive dependencies?

[nasifimtiazohi]

I am looking at dependabot alerts on my Maven and npm projects. It seems like dependabot only alerts for vulnerabiltiies on direct dependencies. I think only when the transitive dep. is explicitly declared in Maven or a lock file is present in an npm project, that dependabot sends alerts on them. However, if I use a tool like Snyk, it shows me a lot of alerts on my transitive deps.

So I was wondering what is Dependabot's approach in general to vulnerabilties in transitive dependencies?

[Vincent-FundApps]

Any updates on this issue?
It seems like most vulnerabilities in transient dependencies aren't picked up by Dependabot.

[floriankoch]

Any Updates here?

[robmoffat]

Is there a good reason why transitive dependencies aren't supported here? This seems like a rookie error, but maybe I don't understand the complexities involved.

An update on this issue would be gratefully appreciated

[philippsimon]

I also just realized that: Any updates about that?
We have the issues for transient dependencies of maven projects.

[seanmoghadam]

Right now its not supported - as written here

# NOTE: we currently don't resolve transitive/sub-dependencies as # npm/yarn don't provide any control over updating to a specific # sub-dependency

[ondrejlerch]

I would also love dependabot transitive vulnerability detection feature for maven projects in my case.
Without this feature dependabot may fail to find many critical security issues as maven dependencies are often transitive.
Otherwise dependabot is great but this fundamental feature is missing.
I am not looking for "Dependabot security updates" as this may be difficult to implement.
"Dependabot alerts" would be enough for me, mvn dependency:tree or mvn dependency:list could be used to implement such feature.
Many thanks!

[jeffwidman]

There's two separate things being talked about in this issue:

1. Security alerts of whether a transitive dependency has a vulnerability (the original issue)
2. Whether Dependabot can create version update PR's for transitive dependencies.

Even though externally the user experience is all under the Dependabot brand, internally they're separate teams... I'm checking with the team responsible for 1 to see if they can provide an update on what is currently supported.

For 2, in general for most ecosystems we're not that sophisticated yet, but it is something that's on our radar, and we have done some preliminary work on it, particularly for the Javascript world.

[jeffwidman]

Just heard back from the team responsible for detecting vulnerabilities:

• They can get transitive dependencies for maven if they use this action that submits them to the dependency submission API.
• We get transitive dependencies for npm if they’re using a lockfile.

So both are supported, although for Maven you have to wire it up a little... this makes sense because the output of Maven can be fairly complex so trying to statically parse the input files is difficult, versus looking at the end binary to see what actually got pulled in and then comparing it to the vulnerability database.

[robmoffat]

@maoo

[ondrejlerch]

Recommendation for other developers who want to analyze maven transitive dependencies via Dependabot and not just direct ones:
This action really does the trick.
Set-up is easy:

    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Submit Dependency Snapshot
        uses: advanced-security/maven-dependency-submission-action@v1
        with:
          directory: your-directory

The only issue is that maven-dependency-submission-action currently does not support multi-module based projects.
Therefore, set your-directory to your fat-jar or war module or create artificial module and add all your other modules as dependencies.
Enjoy!

[Gby56]

Hello @jeffwidman , do you know if that feature would be integrated into dependabot core anytime soon, instead of relying on the other action for submitting the whole maven dependency to the repo ? Thanks :)
Also, does that mean that dependabot PRs can fix transitive dependencies if we use the action ? Or they will only get flagged but not auto-fixed ?