Devs, ops, secops (in and out of org) can currently perform the following the following actions on the following objects:
commit, tag, deploy (TODO: get from BMO or jenkins)) a repo
add, remove, update a dependency file (manifest or lock)
add, remove a dependency file directory (i.e. a directory with one or more dep files) (arguably update too if we want to track renames)
add, remove, update a dependency
add, remove, update a transitive dependency
create, publish, update, revoke an advisory
And the objects are related as follows:
a repo has zero or more dependency files
a dependency file directory contains zero or more dependency files
a dependency file specifies zero or more dependencies (a manifest defines direct unresolved dependency constraints and a lockfile defines resolved dependencies w/ versions and transitive dependency packages w/ versions)
an advisory impacts zero or more resolved dependencies w/ versions (direct or transitive)
There are also actions on related objects e.g. for a repo, dependency file, resolved dependency w/ version and vuln devs can ack, ignore, or patch it on GH's vuln alerting system.
Which is all well and good.
We're interested in timelines of actions on those entities (possibly grouped or rolled up by their relations or properties).
For example, we can look at when vulnerable resolved dependency versions were present in repos with respect to a given advisory:
We can improve the visualization as follows:
make it higher density (drop package dirs on left, add more rows)
highlight specific states e.g. for the above vulnerable dependency was present in-tree, present while patch available, patched (could be used to show update latency / technical lag from Decan, et al.)
More concretely make heatmap plots where:
y axis (a spectra) is an object e.g. a repo, package name, or package name and version, dep. file, etc.
x axis is time
z / color, depth is a property of the object when present at that time e.g. package version in-tree, # of transitive deps
The following interactions could improve usability:
group and filter on object name or properties (e.g. repo = blah or group by severity)
on hover display spectra info (e.g. package version, name), time interval (start, end), and state (e.g. was vulnerable) or highlight related info (e.g. all related transitive dependency rows)
on selection (paint/drag and select a box) open/update a subdisplay statistics for that subset of data
on click display additional info about the state/open/update a subdisplay
g-k
commented
4 years ago 
Devs, ops, secops (in and out of org) can currently perform the following the following actions on the following objects:
And the objects are related as follows:
There are also actions on related objects e.g. for a repo, dependency file, resolved dependency w/ version and vuln devs can ack, ignore, or patch it on GH's vuln alerting system.
Which is all well and good.
We're interested in timelines of actions on those entities (possibly grouped or rolled up by their relations or properties).
For example, we can look at when vulnerable resolved dependency versions were present in repos with respect to a given advisory:
We can improve the visualization as follows:
More concretely make heatmap plots where:
The following interactions could improve usability:
Implementation links: