[FEATURE] For dependency graph report, a non-vulnerable dependency should list number of transitive vulnerabilities detected.

[shaikhu]

• What are you trying to do? So with #28 we only list dependencies which have vulnerabilities. This is awesome. I noticed it's possible for a dependency to have zero vulnerabilities (but have transitive dependencies which are vulnerable). This can be confusing why the dependency is included in the report. Seeing "0 vulnerabilities detected" looks strange here. Maybe for this scenario update the message.

+--- org.springframework.boot:spring-boot-starter-web:1.0.0.RELEASE: 0 vulnerabilities detected
|    +--- com.fasterxml.jackson.core:jackson-databind:2.9.10.4 (*): 6 vulnerabilities detected
|         ...
|    +--- org.springframework:spring-web:4.0.3.RELEASE: 3 vulnerabilities detected
|         ...
|    +--- org.springframework:spring-webmvc:4.0.3.RELEASE: 3 vulnerabilities detected
|         ...

to

+--- org.springframework.boot:spring-boot-starter-web:1.0.0.RELEASE: 12 transitive vulnerabilities detected
|    +--- com.fasterxml.jackson.core:jackson-databind:2.9.10.4 (*): 6 vulnerabilities detected
|        ...
|    +--- org.springframework:spring-web:4.0.3.RELEASE: 3 vulnerabilities detected
|        ...
|    +--- org.springframework:spring-webmvc:4.0.3.RELEASE: 3 vulnerabilities detected
|        ...

Or if we exclude the number and just print "transitive dependencies detected". I think both makes it clearer why the dependency was included in the report.

• What feature or behaviour is this required for? Only for the dependency graph report, when a dependency has no direct vulnerabilities, but transitive ones.

• How could we solve this issue? (Not knowing is okay!) We know the dependency has at least one transitive dependency with vulnerabilities (which is why we print it!). Seems reasonable to calculate the number of vulnerabilities

• Anything else? Let me know what you think.

cc @bhamail / @DarthHater / @guillermo-varela

[guillermo-varela]

@shaikhu If the direct dependency has vulnerabilities how would it be shown?

2 vulnerabilities and 12 transitive vulnerabilities detected ? 2 direct vulnerabilities and 12 transitive vulnerabilities detected ? 2 own vulnerabilities and 12 transitive vulnerabilities detected ?

[DarthHater]

Maybe "has 2 vulnerabilities and 12 additional vulnerabilities in transitive dependencies" if that's not too wordy?

[shaikhu]

@shaikhu If the direct dependency has vulnerabilities how would it be shown?

Yeah I didn't think about that possibility. I was only concerned with getting rid of the "0 vulnerabilities detected" text.

2 direct vulnerabilities and 12 transitive vulnerabilities detected ?

I like this one the best but wondering if it's not too wordy?

[pctF]

I believe it can be misleading. Having vulnerable dependencies not, making component itself vulnerable. But statement about "transitive vulnerabilities" can lead to this state of mind. It is common practice for vulnerabilities to be created BASED on transitive ones. And if there is no such vulnerabilities in core component it is good chance that it is not affected.

There is nothing wrong with this enrichment but I really question if it is worth it.

[shaikhu]

I believe it can be misleading. Having vulnerable dependencies not, making component itself vulnerable. But statement about "transitive vulnerabilities" can lead to this state of mind. It is common practice for vulnerabilities to be created BASED on transitive ones. And if there is no such vulnerabilities in core component it is good chance that it is not affected.

There is nothing wrong with this enrichment but I really question if it is worth it.

Thank you for the feedback. It's very much appreciated. 👍 Agree with your thoughts, and feel the end result isn't worth the effort to implement. Considering more urgent issues (#58) I'm going to close this.