Show vulnerable "paths" in dependency tree (textual or graphical)

[valentijnscholten]

Current Behavior

CVE-2024-52046 was published with CVSS score 10.0, a vulnerability in Apache Mina.
It's used in many projects, for example Keycloak.

What does work after uploading an SBOM to DT:

• The vulnerability shows up in the project findings, including the GHSA-76h9-2vwh-w278 alias.
• I can locate the Apache Minda dependency in the dependency graph.

The graph however is so big and Mina is used in so many places, it's impossible to get a practical overview of where it is used and which "direct" dependencies I should update. Or to assess which functionality is used Mina to assess whether the functionality might be affected by the CVE or not.
Even though I might just wait for a Keycloak (or Red Hat Build of Keycloak) release, there will be more examples where the current featureset in DT is not practical.

Proposed Behavior

Provide a summary of which "paths" in the dependecy tree are affected.

This could be by making not the path from the vulnerable component to the root of the tree green.
( I vaguely remember someone mentioning this or even building this in the past?)

Alternatively there could a new tab / page / view where DT just lists a lists of vulnerable paths.
This might be easier to read / export compared to the graph that can be huge.

i.e.

• root -> apacheds-blabla-x.y -> apache-api-ldap-a.b -> apache-mina-2.1.3
• root -> apache-klm-i.j -> apache-util-q.r -> apache-mina-2.1.3
• ....

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested