- Semgrep Supply Chain
- Team & Enterprise Tier
Triaging and remediating dependency findings
Semgrep Supply Chain is available for users that have a Semgrep Supply Chain Team License. Contact firstname.lastname@example.org for more information.
Perform triage and remediation on your open source dependencies through the Supply chain page. This page displays relevant scan data through three tabs:
- This tab displays the most recently discovered reachable vulnerabilities, advisories, and charts presenting historical data of vulnerabilities discovered in all repositories for which Semgrep Supply Chain is enabled. The badge is your total count of reachable vulnerabilities.
- This tab enables you to:
- Filter findings.
- View reachable vulnerabilities in your repositories through links to specific lines of code.
- Track the process of resolving findings by adding links to Jira issues and pull requests.
- Remediate findings by providing versions to upgrade to.
- This tab displays the latest Common Vulnerabilities and Exposures (CVEs) that are covered by Semgrep Supply Chain rules. Use this tab to see the CVEs that Semgrep Supply Chain can detect.
Figure 1. Semgrep Supply Chain Vulnerabilities page.
Assessing and triaging dependency findings and usages
At least one repository that scans for dependencies through Semgrep Supply Chain. See Getting started with Semgrep Supply Chain.
To view the latest findings of Semgrep Supply Chain:
- The latest findings are visible in Supply Chain > Overview. Clicking Vulnerabilities displays all findings for triage.
Findings are grouped by vulnerability. A specific finding in the code is called a usage. Usages are grouped under their respective vulnerabilities. Vulnerability entries are sorted as cards from newest to oldest then by severity from critical to low.
Figure 2. A single vulnerability entry in Semgrep Supply Chain.
Semgrep Supply Chain assists in your organization's threat assessment and triage through this page. Within the Vulnerabilities tab, you can determine reachable, true positives and the necessary effort to fix or resolve findings. After assessment, Semgrep Supply Chain assists users to decide between two triage actions:
- Ignore the vulnerabilities. Vulnerabilities that are ignored are false positives, acceptable risks, or deprioritized findings due to some factor, such as time.
- Remediate or resolve the vulnerability. These vulnerabilities are true positives that are prioritized due to factors such as reachability and severity. Possible remediation solutions include updating the dependency or removing the dependency and refactoring the code.
To assess your findings, Semgrep Supply Chain provides the following methods:
|View specific pattern matches in your codebase.||Click links provided under Reachable via N usages within the vulnerability's entry.|
|View specific CVE entries in cve.org.||Click the vulnerability's CVE badge.|
|View safe versions to upgrade your dependencies.||Visible on the vulnerability entry.|
|Filter vulnerabilities.||Click any of the filters available. Refer to the following table for filtering information.|
The following filters are provided:
|Exposure||Filters are based on the reachability of a vulnerability. The Reachable filter is selected by default.|
|Severity||Filters are based on the severity of a vulnerability. Semgrep Supply Chain rules use severity values set by the GitHub Advisory Database. All severities are selected by default.|
|Status||Filters are based on the status of a vulnerability. The New filter is selected by default.|
|Transitivity||Filters are based on the transitivity of a vulnerability. All transitivities are selected by default.|
The following status filters are provided:
|New||Vulnerabilities that have not undertaken triage or remediation action.|
|In progress||Vulnerabilities with an attached Jira issue tracker or pull or merge request link.|
|Fixed||Vulnerabilities that are no longer detected after a scan. This typically means that the dependency containing the vulnerability has been updated. Semgrep Supply Chain automatically checks if the dependency has been updated and sets the vulnerability's status as Fixed.|
|Ignored||Vulnerabilities that have been triaged as ignored by the user. Semgrep Supply Chain provides the following options for developers to select:|
Remediating true positives
Remediate (or resolve) true positives in Semgrep Supply Chain through the following methods:
- Update the dependency to a safe version that does not contain the vulnerability.
- Remove the dependency and refactor all usages in the codebase.
Updating the dependency
Semgrep Supply Chain provides a snippet you can copy to update the dependency. Click on the Upgrade button to view and copy the snippet. When the pull or merge request is merged into the codebase, Semgrep Supply Chain detects that the finding is no longer present and updates the vulnerability's status to Fixed.
Removing the dependency and refactoring code
Another method to remediate vulnerabilities is to remove the dependency entirely and refactor code. Upon merging any dependency removals, Semgrep Supply Chain scans the PR or MR, detects the changes in your lockfile, and updates the status to Fixed.
Tracking the remediation process
Semgrep Supply Chain enables you to track the progress of your remediation by providing fields for the following:
- Jira issue tracker. This is the card icon seen in the vulnerability's entry.
- Pull or merge request (PR or MR) link. This is the merge icon seen in the vulnerability's entry.
Copy the PR or MR link or Jira issue link to the corresponding field. This changes the vulnerability's status to In progress.
To ignore a vulnerability:
- Optional: Filter vulnerabilities to apply criteria for a group of findings to ignore.
- Click on the vulnerability's Ignore button. A drop-down menu appears.
- Click the reason for ignoring.
Additional data points
Viewing historical scan data
The Overview tab displays two charts to assist you in understanding historical scan data:
- Inbox size over time
- This is the number of reachable vulnerabilities across all repositories that run Semgrep Supply Chain scans. The Y-axis goes down as triage actions are undertaken.
- New findings over time
- This is the number of reachable and unreachable vulnerabilities over time across all repositories that run Semgrep Supply Chain scans. The chart generates a new bar every time a scan runs.
Viewing the latest advisories
The Advisories tab displays the newest CVEs that Semgrep Supply Chain can detect. Click the individual entry to see the code pattern that the Advisory detects.
Find what you needed in this doc? Join the Semgrep Community Slack group to ask the maintainers and the community if you need help.