Now Showing in the Oligo Application Defense Platform: Direct and Transitive Dependencies

In a recent update, the Oligo Application Defense Platform introduced the ability to distinguish between "direct" and "indirect" dependencies.

Terminology

• ‍Direct Dependencies: These are the dependencies your project imports directly. When a vulnerability is identified in a direct dependency, it can be directly remediated.‍
• Indirect (Transitive) Dependencies: These are dependencies that are imported by your direct dependencies. They can only be fixed by fixing the parent dependency. Tracking the root cause of transitive vulnerabilities has been challenging for many dev teams.

Root Dependency Identification

Vulnerable transitive dependencies are not only identified, but traced to their root dependency that was directly imported. With context on where your vulnerable indirect dependencies originate, security teams can pinpoint and address the source of the issue more efficiently.

Why Does It Matter?

The biggest reason it matters to distinguish between vulnerable direct and indirect dependencies is that remediation looks different. While a direct dependency may be relatively easy to remediate, indirect dependencies require the maintainer of the root dependency to update the vulnerability themselves.

What’s really unique about Oligo’s capabilities is that we actually do all of this discovery of direct/transitive dependencies without needing access to the source code. That means you can see vulnerabilities, and whether they’re from a direct or indirect dependency, in your third-party applications from vendors, not just your own first-party applications.

Having this context can help teams know what can be fixed by in-house teams, and what will require the cooperation of a library maintainer from “outside the building.” 

More On the Horizon—And We’re Just Getting Started

We developed this feature in response to customer requests—and we’re always listening for ways to remove friction for security and engineering teams. If you’ve got a great idea, give us a shout.

In the near future, we’ll be adding capabilities for giving fix suggestions for the parent directory of indirect vulnerabilities (in order to remediate the vulnerability contained in the transitive dependency), making it easier than ever to find and fix real risks in every application you build, buy, or use.

For something a little further down the road, here’s a thought experiment about transitive dependencies: What if you could fix security issues in an indirect dependency…directly? Imagine being able to mitigate risk contained in your transitive dependencies even before they’re patched—or even before a patch is available.

Sound impossible? It’s not. And it’s coming.