Tracking: MVP - Lockfile-indexing-based dependency search
Created by: malomarrec
Context
We're iterating ton a dependency graph workflow to help security engineering and development teams triage and remediate vulnerabilities faster. See the problem we want to solve in (PD 35 WIP - Dependency Graph for code security).
MVP
In the MVP, we want to let users navigate the dependency graph of their code in an iterative manner. Instead of just showing a flat list of dependencies/dependents for repo A, you can:
- see the list of direct dependencies/dependents of
repo A - see the list of transitive dependencies/dependents of
repo Aat depthn. Exact syntax TBD, eg.dependencies:(sourcegraph depth=3). - easily navigate along the
repo A->repo B->repo Cdependency/dependents path - search for code predicates inside any of those scopes
This partially answer: "how is my code affected by dependency on repo A? What are optimal resolution steps?". It's a first step towards our goal to answer questions such as:
Does my repo depend directly on X? If not, what dependencies of my repo bring X into scope?
In the MVP, we will focus on javascript, golang, python (in order), and Java/Maven because we can use lockfiles and already have a lot of building blocks ready. We want to move to Java/Gradle next, using precise code intel data, because that's what's most valuable to customers.
UI is ultimate TBD, for illustration:
Design discussions are happening in this RFC.
Plan
@unassigned
-
https://github.com/sourcegraph/sourcegraph/issues/37010 🏳️ Code security MVP -
https://github.com/sourcegraph/sourcegraph/issues/37011 🏳️ Code security MVP
@malomarrec
-
https://github.com/sourcegraph/sourcegraph/issues/37007 🏳️ Code security MVP -
https://github.com/sourcegraph/sourcegraph/issues/37009 🏳️ Code security MVP
@mrnugget
@quinnkeast