Triage and remediate dependency findings

Perform triage and remediation on your open source dependencies through the Supply Chain page. This page displays relevant scan data through three tabs:

Vulnerabilities

This tab enables you to:

• View reachable vulnerabilities in your repositories through links to specific lines of code.
• Filter vulnerabilities by severity, reachability, status, transitivity, and other attributes.
• Understand how to remediate vulnerabilities by providing versions to upgrade to.
• Track the process of resolving vulnerabilities by adding links to Jira issues and pull requests.

Advisories

This tab displays the latest Common Vulnerabilities and Exposures (CVEs) that are covered by Semgrep Supply Chain rules. Use this tab to see the CVEs that Semgrep Supply Chain can detect.

Dependencies

This tab displays information about all of your dependencies across all onboarded repositories.

Figure 1. Semgrep Supply Chain Vulnerabilities page.

Assess and triage dependency findings and usages

Prerequisite

At least one repository that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.

To view the latest Semgrep Supply Chain findings, click Supply Chain. You can view findings individually or grouped by the rule that identified the finding. A specific finding in the code is called a usage. Vulnerability entries are sorted as cards by severity from critical to low, then from oldest to newest.

Figure 2. A single vulnerability entry in Semgrep Supply Chain.

You can also view the findings individually by clicking on the drop-down box on the header and clicking No grouping.

Assessment actions

To assess your findings, Semgrep Supply Chain provides the following methods:

Assessment action	Method
View specific pattern matches in your codebase.	Click the link provided in the vulnerability entry to see where the issue appears in the source code.
View specific CVE entries in cve.org.	Click the vulnerability's CVE badge.
View safe versions to upgrade your dependencies.	Visible on the vulnerability entry.
Filter vulnerabilities.	Click any of the filters available. Refer to the following table for filtering information.

Filters

Use filters to narrow down your results. The following criteria are available for filtering:

Filter	Description
Projects	Filter by repositories connected to your Semgrep account.
Branch	Filter by findings in different Git branches.
Teams	Filter for findings in projects to which the specified teams are associated with. Available only to organizations with Teams enabled.
Tags	Filter for findings based on the tags associated with the project.
Status	Filter the triage state of a finding: Open: Findings for which there have been no triage or remediation action. Reviewing: Findings that require more investigation to determine what the next steps should be. Fixing: Findings for which you have decided to fix. Commonly used to indicate that these findings are tracked in Jira or assigned to developers for further work. Fixed: Vulnerabilities that are no longer detected after a scan. This typically means that the dependency containing the vulnerability has been updated. Semgrep Supply Chain automatically checks if the dependency has been updated and sets the vulnerability's status as Fixed. Ignored: Vulnerabilities that have been triaged as Ignored by the user.
Severity	Filter by the severity of a finding. Filters are based on the severity of a vulnerability. Semgrep Supply Chain rules use severity values set by the GitHub Advisory Database.
Transitivity	Filter by the transitivity of the finding. Direct: Your project depends directly on the dependency. Transitive: Your project's dependency depends on a vulnerable dependency. Undetermined: Semgrep had no transitivity information for the dependency as it relates to your project.
Reachability	Filter by exposure, or whether the finding is reachable or not. Reachable: A finding is reachable if there's a code pattern in the codebase that matches the vulnerability definition Always reachable: A finding is always reachable if it's something Semgrep recommends fixing, regardless of what's in the code. Conditionally reachable: A finding is conditionally reachable if Semgrep finds a way to reach it when scanning your code when certain conditions are met. Unreachable: A finding is unreachable if you don't use the vulnerable piece of code of the imported library or package. Undetermined: A finding is undetermined if Semgrep Supply Chain determines that you use a vulnerable version of a dependency, but it doesn't have a relevant reachability rule.
Dependency	Filter for findings based on the name of the dependency involved.
CVE	Filter based on the CVE assigned to the finding type.

Remediate true positives

Remediate (or resolve) true positives in Semgrep Supply Chain through the following methods:

• Update the dependency to a safe version that does not contain the vulnerability.
• Remove the dependency and refactor all usages in the codebase.

Remove the dependency and refactoring code

Another method to remediate vulnerabilities is to remove the dependency entirely and refactor code. Upon merging any dependency removals, Semgrep Supply Chain scans the PR or MR, detects the changes in your lockfile, and updates the status to Fixed.

Ignore findings

The Vulnerabilities tab allows you to identify the reachable, true positives so that you can fix or resolve the related issues. However, you can choose to ignore any false positives, acceptable risks, or deprioritized findings due to some factor. To do this:

1. Select one or more findings.
2. Click Triage.
3. Select Ignore and click Continue.
4. Select an Ignore reason, provide a optional comment, and click Ignore.

View Semgrep Supply Chain's total CVE coverage

The Advisories tab displays all the CVEs that Semgrep Supply Chain can detect. Click the individual entry to see the code pattern that the Advisory detects. The Advisories tab displays both lockfile-only and reachability rules.

info

Semgrep ingests CVE information and security advisories from sources such as Reviewed GitHub Security Advisories to ensure effective rule coverage. Semgrep processes new information at least once per day to:

• Generate rules for new security advisories;
• Update rules based on changes to existing security advisories.