Improve Remediation Advice

[abhisek]

Problem

Any real-life application will depend on frameworks & other direct dependencies which in turn introduces multiple layers of transitive dependencies. The number of effective (direct & transitive) dependencies for any real-life application can be easily 100+.

When we scan dependencies, we end up finding issues (vulnerability / popularity / security posture) in a lot of dependencies, thus increasing the remediation cost significantly. Many a times, the remediation is infeasible or painful due to the sheer volume of issues produced by a tool, vet included.

Solution

Our goal is to improve the user experience when it comes to remediating issues in OSS dependencies while ensuring that we do not provide a false sense of security by missing critical issues. To do this, we need to do provide a paved path for remediation journey instead of dumping issues to the user and having the user make the decision / prioritisation / plan.

We need an user experience like this

1. Provide Top 5 libraries that will mitigate maximum OSS risk in the application
2. Identify and ignore false positives
3. Provide remediation advice that are actually doable by the user i.e. direct dependencies and NOT transitive dependencies
4. Provide a way to see the impact of risk mitigated by following the remediation advice
5. Provide configurability to ignore false positives (already implemented through Support Exception Management Workflow #13)

Related issues

#8
#94
#80

https://docs.google.com/presentation/d/14tTZlnHP26dqAd2mDUyYsIhlVmZWrBc4/edit#slide=id.g24f292dc4d0_0_660