-
Notifications
You must be signed in to change notification settings - Fork 922
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does dependabot detect vulnerabilities in transitive dependencies? #2640
Comments
Any updates on this issue? |
Any Updates here? |
Is there a good reason why transitive dependencies aren't supported here? This seems like a rookie error, but maybe I don't understand the complexities involved. An update on this issue would be gratefully appreciated |
I also just realized that: Any updates about that? |
Right now its not supported - as written here
|
I would also love dependabot transitive vulnerability detection feature for maven projects in my case. |
There's two separate things being talked about in this issue:
Even though externally the user experience is all under the Dependabot brand, internally they're separate teams... I'm checking with the team responsible for 1 to see if they can provide an update on what is currently supported. For 2, in general for most ecosystems we're not that sophisticated yet, but it is something that's on our radar, and we have done some preliminary work on it, particularly for the Javascript world. |
Just heard back from the team responsible for detecting vulnerabilities:
So both are supported, although for Maven you have to wire it up a little... this makes sense because the output of Maven can be fairly complex so trying to statically parse the input files is difficult, versus looking at the end binary to see what actually got pulled in and then comparing it to the vulnerability database. |
Recommendation for other developers who want to analyze maven transitive dependencies via Dependabot and not just direct ones:
The only issue is that |
Hello @jeffwidman , do you know if that feature would be integrated into dependabot core anytime soon, instead of relying on the other action for submitting the whole maven dependency to the repo ? Thanks :) |
I am looking at dependabot alerts on my Maven and npm projects. It seems like dependabot only alerts for vulnerabiltiies on direct dependencies. I think only when the transitive dep. is explicitly declared in Maven or a lock file is present in an npm project, that dependabot sends alerts on them. However, if I use a tool like Snyk, it shows me a lot of alerts on my transitive deps.
So I was wondering what is Dependabot's approach in general to vulnerabilties in transitive dependencies?
The text was updated successfully, but these errors were encountered: