Dependabot and transitive dependencies
This is not really a bug but more "just to let you know information" about Github dependabot.
I recently discover (at least this is my understanding) that dependabot does not create alert for transitive dependencies for maven project.
It includes transitive dependencies only when it exists a kind of lock file.(e.g. yarn.lock
for javascript world)
Source : https://docs.github.com/en/code-security/dependabot/working-with-dependabot/troubleshooting-the-detection-of-vulnerable-dependencies#do-dependabot-alerts-only-relate-to-insecure-dependencies-in-manifests-and-lockfiles
I think :
- eclipse foundation host a lot of java project build on Maven,
- with Maven this is possible but not really common to explicitly add all your dependencies (even the transitive one) in your
pom.xml
.
I decide to report that just in case you're not aware of that AND in case some actions could be done to improve the situation.
Note that :
It seems that Github is aware of the "issue" and is working on a solution (https://github.com/github/roadmap/issues/796).
Waiting, an alternative could be to create a github action using something like : https://github.com/marketplace/actions/maven-dependency-tree-dependency-submission
Maybe this is more a security team question ? @mbarbero