snyksec
commented
2 years ago :tada: This PR is included in version 3.19.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Closed gitphill closed 2 years ago
snyksec
commented
2 years ago :tada: This PR is included in version 3.19.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
What this does
Before this change we have been traversing all transitive lines as deep as possible creating at times very large graphs (many edges).
This can cause us difficulties performing vulnerable path calculations when considering all paths from all nodes to the root.
By pruning already seen nodes we can reduce the problem space dramatically.
To achieve this first perform a breadth first search over the result of init.gradle. Checking whether each node as been seen before queuing it's children. If a node has been seen simply mark it as pruned and do not queue it's children terminating the line early.
It is safe to discard these duplicate transitive lines because there can only be one version of a package on the classpath for Java projects. There are some situations when Gradle considers higher versions of deeper duplicate packages winners. We're relying on init.gradle to resolve these situations.
When presenting remediation (upgrades) Snyk will attempt to find and fix the effective (non-pruned) lines. This is correct as it's those lines that should matter above all others.