Add package name to Dependency Scanning report, location fingerprint
Problem to solve
It's necessary to add the package name to the Dependency Scanning reports and to the "location fingerprint" else there may be a collision when a single security advisory has been published for multiple packages.
This is a follow-up issue for #5908 (closed).
Further details
Dependency Scanning (DS) and SAST both share a common report syntax defined in the
common library.
The syntax defines a Location
for a vulnerability and in the case of DS
this location is limited to the path of the dependency file (where the affected package is declared).
There may be a collision if the same file declares two dependencies (two packages)
affected by the same advisory with a same identifier (CVE id or other).
Proposal
- In the common lib, add
Dependency
,Package
as nested structs ofIssue
- In the DS analyzers, add
dependency.version
anddependency.package.name
to thelocation
of a vulnerability - In the DS parser (Rails BE), add the package name to the location fingerprint
What does success look like, and how can we measure that?
no collision when two dependencies declared in the same dependency file refer to the same security advisory (same CVE id)