Dependabot/dependency graph - transitive dependencies

[javixeneize]

Hi

I have a question about transitive dependencies. Are those displayed in dependabot or dependency graph? I can only see the first level dependencies analysed but nothing else in a test project i have created – Dependencies · javixeneize/dependatest · GitHub

Thanks

[ernest-phillips]

javixeneize:

transitive dependencies

The dependency graph does not handle these types of dependencies.
Dependencies will need to be explicitly stated in order for them to be captured by the graph.

[javixeneize]

Thats what i feared. Then, this is not of much use for java applications, isnt it?

[ernest-phillips]

We support dependency updates for repositories using Gradle as well, but we’re still working on overall dependency graph support.

We do have an open internal issue requesting such functionality though; I’ve included your feedback there. I can’t make any guarantees on a release or timeframe, but keep an eye on our changelog for updates!

[javixeneize]

Ah right, if this is in the backlog and you are planning to fix it I’m happy with that 😉

Thanks!

[ljharb]

Unfortunately github/roadmap#494 (comment) doesn't have any details, really - what makes a feature "under review by the product team", and what exempts a feature from that category?

One of the biggest security problems in open source is that the vast majority of transitive CVEs are de facto false positives due to the code paths they're used with and/or the context (dev vs prod, etc) they're used in, and surfacing this graph information would be a really useful way to cut down on the noise.