Show vulnerable "paths" in dependency tree (textual or graphical) #1119
Description
Current Behavior
CVE-2024-52046 was published with CVSS score 10.0, a vulnerability in Apache Mina.
It's used in many projects, for example Keycloak.
What does work after uploading an SBOM to DT:
- The vulnerability shows up in the project findings, including the GHSA-76h9-2vwh-w278 alias.
- I can locate the Apache Minda dependency in the dependency graph.
The graph however is so big and Mina is used in so many places, it's impossible to get a practical overview of where it is used and which "direct" dependencies I should update. Or to assess which functionality is used Mina to assess whether the functionality might be affected by the CVE or not.
Even though I might just wait for a Keycloak (or Red Hat Build of Keycloak) release, there will be more examples where the current featureset in DT is not practical.
Proposed Behavior
Provide a summary of which "paths" in the dependecy tree are affected.
This could be by making not the path from the vulnerable component to the root of the tree green.
( I vaguely remember someone mentioning this or even building this in the past?)
Alternatively there could a new tab / page / view where DT just lists a lists of vulnerable paths.
This might be easier to read / export compared to the graph that can be huge.
i.e.
- root -> apacheds-blabla-x.y -> apache-api-ldap-a.b -> apache-mina-2.1.3
- root -> apache-klm-i.j -> apache-util-q.r -> apache-mina-2.1.3
- ....
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this enhancement was already requested