Skip to main content
  • Semgrep Supply Chain
  • Team & Enterprise Tier

Triaging and remediating dependency findings

note

Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact sales@r2c.dev for more information.

Perform triage and remediation on your open source dependencies through the Supply chain page. This page displays relevant scan data through three tabs:

Overview
This tab displays the most recently discovered reachable vulnerabilities, advisories, and charts presenting historical data of vulnerabilities discovered in all repositories for which Semgrep Supply Chain is enabled. The badge is your total count of reachable vulnerabilities.
Vulnerabilities
This tab enables you to:
  • Filter findings.
  • View reachable vulnerabilities in your repositories through links to specific lines of code.
  • Track the process of resolving findings by adding links to Jira issues and pull requests.
  • Remediate findings by providing versions to upgrade to.
Advisories
This tab displays the latest Common Vulnerabilities and Exposures (CVEs) that are covered by Semgrep Supply Chain rules. Use this tab to see the CVEs that Semgrep Supply Chain can detect.

Semgrep Supply Chain Vulnerabilities page Figure 1. Semgrep Supply Chain Vulnerabilities page.

Assessing and triaging dependency findings and usagesโ€‹

Prerequisite

At least one repository that scans for dependencies through Semgrep Supply Chain. See Scanning open source dependencies.

To view the latest findings of Semgrep Supply Chain:

  1. The latest findings are visible in Supply Chain > Overview. Clicking Vulnerabilities displays all findings for triage.

Findings are grouped by vulnerability. A specific finding in the code is called a usage. Usages are grouped under their respective vulnerabilities. Vulnerability entries are sorted as cards from newest to oldest then by severity from critical to low.

A single vulnerability entry in Semgrep Supply Chain

Figure 2. A single vulnerability entry in Semgrep Supply Chain.

Semgrep Supply Chain assists in your organization's threat assessment and triage through this page. Within the Vulnerabilities tab, you can determine reachable, true positives and the necessary effort to fix or resolve findings. After assessment, Semgrep Supply Chain assists users to decide between two triage actions:

  • Ignore the vulnerabilities. Vulnerabilities that are ignored are false positives, acceptable risks, or deprioritized findings due to some factor, such as time.
  • Remediate or resolve the vulnerability. These vulnerabilities are true positives that are prioritized due to factors such as reachability and severity. Possible remediation solutions include updating the dependency or removing the dependency and refactoring the code.

To assess your findings, Semgrep Supply Chain provides the following methods:

Assessment actionMethod
View specific pattern matches in your codebase.Click links provided under Reachable via N usages within the vulnerability's entry.
View specific CVE entries in cve.org.Click the vulnerability's CVE badge.
View safe versions to upgrade your dependencies.Visible on the vulnerability entry.
Filter vulnerabilities.Click any of the filters available. Refer to the following table for filtering information.

The following filters are provided:

FilterDescription
ExposureFilters are based on the reachability of a vulnerability. Reachable findings are displayed by default.
SeverityFilters are based on the severity of a vulnerability. Semgrep Supply Chain rules use severity values set by the GitHub Advisory Database.
StatusFilters are based on the status of a vulnerability.

The following status filters are provided:

Status filterDescription
NewVulnerabilities that have not undertaken triage or remediation action.
In progressVulnerabilities with an attached Jira issue tracker or pull or merge request link.
FixedVulnerabilities that are no longer detected after a scan. This typically means that the dependency containing the vulnerability has been updated. Semgrep Supply Chain automatically checks if the dependency has been updated and sets the vulnerability's status as Fixed.
IgnoredVulnerabilities that have been triaged as ignored by the user. Semgrep Supply Chain provides the following options for developers to select:
  • False positive
  • Acceptable risk
  • No time to fix

Remediating true positivesโ€‹

Remediate (or resolve) true positives in Semgrep Supply Chain through the following methods:

  • Update the dependency to a safe version that does not contain the vulnerability.
  • Remove the dependency and refactor all usages in the codebase.

Updating the dependencyโ€‹

Semgrep Supply Chain provides a snippet you can copy to update the dependency. Click on the Upgrade button to view and copy the snippet. When the pull or merge request is merged into the codebase, Semgrep Supply Chain detects that the finding is no longer present and updates the vulnerability's status to Fixed.

Removing the dependency and refactoring codeโ€‹

Another method to remediate vulnerabilities is to remove the dependency entirely and refactor code. Upon merging any dependency removals, Semgrep Supply Chain scans the PR or MR, detects the changes in your lockfile, and updates the status to Fixed.

Tracking the remediation processโ€‹

Semgrep Supply Chain enables you to track the progress of your remediation by providing fields for the following:

  • Jira issue tracker. This is the card icon seen in the vulnerability's entry.
  • Pull or merge request (PR or MR) link. This is the merge icon seen in the vulnerability's entry.

Copy the PR or MR link or Jira issue link to the corresponding field. This changes the vulnerability's status to In progress.

Ignoring vulnerabilitiesโ€‹

To ignore a vulnerability:

  1. Optional: Filter vulnerabilities to apply criteria for a group of findings to ignore.
  2. Click on the vulnerability's Ignore button. A drop-down menu appears.
  3. Click the reason for ignoring.

Additional data pointsโ€‹

Viewing historical scan dataโ€‹

The Overview tab displays two charts to assist you in understanding historical scan data:

Inbox size over time
This is the number of reachable vulnerabilities across all repositories that run Semgrep Supply Chain scans. The Y-axis goes down as triage actions are undertaken.
New findings over time
This is the number of reachable and unreachable vulnerabilities over time across all repositories that run Semgrep Supply Chain scans. The chart generates a new bar every time a scan runs.

Viewing the latest advisoriesโ€‹

The Advisories tab displays the newest CVEs that Semgrep Supply Chain can detect. Click the individual entry to see the code pattern that the Advisory detects.


Find what you needed in this doc? Join the Slack group to ask the maintainers and the community if you need help.