Report vulnerable dependency paths for conan (C, C++)
Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Conan projects using conan.lock. These dependency paths can then be shown in the UI, including in the dependency list. See #227620 (closed)
Proposal
Implementation plan
Permissions and Security
N/A
Documentation
Dependency Path support for this particular package manager should be documented in Dependency Scanning documentation.
Availability & Testing
To be tested doing automatically when doing QA for the analyzer project and checking the generated report.
What does success look like, and how can we measure that?
The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.
What is the type of buyer?
Implementation plan
- Augment conan.Parse function so it returns array of
parser.Dependency
. Use Nuget as an example. - Update tests for
conan.Parse
. - Update the supported package managers section of the Dependency Paths docs to include
conan
.
Edited by Adam Cohen