You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Any real-life application will depend on frameworks & other direct dependencies which in turn introduces multiple layers of transitive dependencies. The number of effective (direct & transitive) dependencies for any real-life application can be easily 100+.
When we scan dependencies, we end up finding issues (vulnerability / popularity / security posture) in a lot of dependencies, thus increasing the remediation cost significantly. Many a times, the remediation is infeasible or painful due to the sheer volume of issues produced by a tool, vet included.
Solution
Our goal is to improve the user experience when it comes to remediating issues in OSS dependencies while ensuring that we do not provide a false sense of security by missing critical issues. To do this, we need to do provide a paved path for remediation journey instead of dumping issues to the user and having the user make the decision / prioritisation / plan.
We need an user experience like this
Provide Top 5 libraries that will mitigate maximum OSS risk in the application
Identify and ignore false positives
Provide remediation advice that are actually doable by the user i.e. direct dependencies and NOT transitive dependencies
Provide a way to see the impact of risk mitigated by following the remediation advice
Problem
Any real-life application will depend on frameworks & other direct dependencies which in turn introduces multiple layers of transitive dependencies. The number of effective (direct & transitive) dependencies for any real-life application can be easily 100+.
When we scan dependencies, we end up finding issues (vulnerability / popularity / security posture) in a lot of dependencies, thus increasing the remediation cost significantly. Many a times, the remediation is infeasible or painful due to the sheer volume of issues produced by a tool,
vetincluded.Solution
Our goal is to improve the user experience when it comes to remediating issues in OSS dependencies while ensuring that we do not provide a false sense of security by missing critical issues. To do this, we need to do provide a paved path for remediation journey instead of dumping issues to the user and having the user make the decision / prioritisation / plan.
We need an user experience like this
Related issues
#8
#94
#80
https://docs.google.com/presentation/d/14tTZlnHP26dqAd2mDUyYsIhlVmZWrBc4/edit#slide=id.g24f292dc4d0_0_660
The text was updated successfully, but these errors were encountered: