- Semgrep Supply Chain
- Team & Enterprise Tier
Triaging and remediating dependency findings
Perform triage and remediation on your open source dependencies through the Supply chain page. This page displays relevant scan data through three tabs:
- Vulnerabilities
- This tab enables you to:
- View reachable vulnerabilities in your repositories through links to specific lines of code.
- Filter vulnerabilities by severity, reachability, status, transitivity, and other attributes.
- Understand how to remediate vulnerabilities by providing versions to upgrade to.
- Track the process of resolving vulnerabilities by adding links to Jira issues and pull requests.
- Advisories
- This tab displays the latest Common Vulnerabilities and Exposures (CVEs) that are covered by Semgrep Supply Chain rules. Use this tab to see the CVEs that Semgrep Supply Chain can detect.
- Dependencies
- This tab displays information about all of your dependencies across all onboarded repositories.
Figure 1. Semgrep Supply Chain Vulnerabilities page.
Assessing and triaging dependency findings and usages
At least one repository that scans for dependencies through Semgrep Supply Chain. See Getting started with Semgrep Supply Chain.
To view the latest findings of Semgrep Supply Chain, click Supply Chain.
Findings are displayed under their respective repositories. Findings are grouped by vulnerability. A specific finding in the code is called a usage. Vulnerability entries are sorted as cards from newest to oldest then by severity from critical to low.
Figure 2. A single vulnerability entry in Semgrep Supply Chain.
Within the Vulnerabilities tab, you can determine reachable, true positives and the necessary effort to fix or resolve findings. After assessment, Semgrep Supply Chain assists users to decide between two triage actions:
- Ignore the vulnerabilities. Vulnerabilities that are ignored are false positives, acceptable risks, or deprioritized findings due to some factor, such as time.
- Remediate or resolve the vulnerability. These vulnerabilities are true positives that are prioritized due to factors such as reachability and severity.
Assessment actions
To assess your findings, Semgrep Supply Chain provides the following methods:
| Assessment action | Method |
|---|---|
| View specific pattern matches in your codebase. | Click links provided under Reachable via N usages within the vulnerability's entry. |
| View specific CVE entries in cve.org. | Click the vulnerability's CVE badge. |
| View safe versions to upgrade your dependencies. | Visible on the vulnerability entry. |
| Filter vulnerabilities. | Click any of the filters available. Refer to the following table for filtering information. |
Filters
The following filters are provided:
| Filter | Description |
|---|---|
| Exposure | Filters are based on the reachability of a vulnerability. The Reachable filter is selected by default. |
| Severity | Filters are based on the severity of a vulnerability. Semgrep Supply Chain rules use severity values set by the GitHub Advisory Database. All severities are selected by default. |
| Status | Filters are based on the status of a vulnerability. The New filter is selected by default. |
| Transitivity | Filters are based on the transitivity of a vulnerability. All transitivities are selected by default. |
Exposure filters
The following exposure filters are provided:
| Exposure filter | Description |
|---|---|
| Reachable | Semgrep detected that there is a usage of the vulnerability from the dependency in your codebase. Some vulnerabilities are considered always reachable because they can be exploited regardless of their usage in your codebase. Others may require manual review and provide criteria to evaluate, such as whether the server running the vulnerable code is internet-accessible. |
| Unreachable | Semgrep determined that there is no usage of the vulnerability from the dependency in your codebase. |
| Undetermined | Semgrep does not scan for the reachability of this vulnerability. |
Status filters
The following status filters are provided:
| Status filter | Description |
|---|---|
| New | Vulnerabilities that have not undertaken triage or remediation action. |
| Fixed | Vulnerabilities that are no longer detected after a scan. This typically means that the dependency containing the vulnerability has been updated. Semgrep Supply Chain automatically checks if the dependency has been updated and sets the vulnerability's status as Fixed. |
| Ignored | Vulnerabilities that have been triaged as ignored by the user. Semgrep Supply Chain provides the following options for developers to select:
|
Remediating true positives
Remediate (or resolve) true positives in Semgrep Supply Chain through the following methods:
- Update the dependency to a safe version that does not contain the vulnerability.
- Remove the dependency and refactor all usages in the codebase.
Updating the dependency
Semgrep Supply Chain provides a snippet you can copy to update the dependency. Click on the Upgrade button to view and copy the snippet. When the pull or merge request is merged into the codebase, Semgrep Supply Chain detects that the finding is no longer present and updates the vulnerability's status to Fixed.
Removing the dependency and refactoring code
Another method to remediate vulnerabilities is to remove the dependency entirely and refactor code. Upon merging any dependency removals, Semgrep Supply Chain scans the PR or MR, detects the changes in your lockfile, and updates the status to Fixed.
Ignoring vulnerabilities
To ignore a vulnerability:
- Optional: Filter vulnerabilities to apply criteria for a group of findings to ignore.
- Click on the vulnerability's Ignore button. A drop-down menu appears.
- Click the reason for ignoring.
Viewing Semgrep Supply Chain's total CVE coverage
The Advisories tab displays all the CVEs that Semgrep Supply Chain can detect. Click the individual entry to see the code pattern that the Advisory detects. The Advisories tab displays both lockfile-only and reachability rules.
- Semgrep ingests CVEs and security advisories from sources such as GitHub Security Advisory to ensure effective rule coverage.
- Semgrep, Inc. processes new CVEs and security advisories at least daily to perform the following:
- Generation of new rules for new security advisories.
- Updating of rules based on changes to prior security advisories.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.