Closed ov7a closed 2 weeks ago
We tried, but there's no mechanism in the GitHub Dependency Graph API to map a dependency to a particular project/configutration, without having a separate vulnerability alert reported for every project/configuration that uses the dependency.
This readme partly explains the reason for this: https://github.com/gradle/actions/blob/main/docs/dependency-submission-faq.md#why-arent-dependencies-be-linked-to-the-source-file-where-they-are-declared
The team at GitHub are aware of this limitation, and we've discussed plans to improve this in the future.
Currently, the report looks like this:
While it's great that it points to
settings.gradle.kts
, but it's unclear from a get-go where exactly the dependency comes from (production/tests, direct/transitive, project/plugin/version catalog/included build/build logic etc)It would be nice to have at least project name and configuration name in the description