Hi,
I am wondering if during package vulnerability reporting it is also checking dependencies for the package?
If not are there recommended ways to implement this sort of security functionality for packages? A third party tool that support posit repo perhaps?
I would also like to now if there are plans to allow block of packages with vulnerabilities that are a certain criticality instead of just block any with vulnerabilities?
Thanks!
Welcome @kirisaku !
Thanks for the questions!
No. Currently Package Manager does not include vulnerabilities in dependent packages when listing vulnerabilities for a package. However, in R, if dependent vulnerable packages are blocked, installation of the top-level package will fail due to the blocked dependency. On Python, pip will automatically attempt to find a non-blocked package that satisfies the requirements and fallback to using that one instead of the blocked version.
We're considering adding that ability, at least for those vulnerabilities that have an associated severity. As it is, not all vulnerabilities have a defined severity, and even for those that do, the severity may vary widely depending on where they are reported. For those reasons we currently recommend blocking all packages with associated vulnerabilities, regardless of severity. Most well-maintained Python packages with identified vulnerabilities have a later fixed version available, and for those that don't an exception can be manually added in Package Manager.
Cheers,
Joe
Thanks for your quick reply!
Is there any plan to include more traditional security scanning with dependencies included in the future at all?
Could you please let me know how we would go about excluding packages from the block ?
We've considered an option to include vulnerabilities in any dependent packages in the reported vulnerabilities list for a given package, if that is what you're requesting? If not, can you describe better what your vision is?
Sure! Just add a new blocklist rule for the given package you'd like to override and allow with the --exception flag. For example:
rspm create blocklist-rule --exception --package-name=pyjwt --version=2.10.0
Exactly this it would be great to see. 
Is it on your roadmap?
Perfect. Thank you!
It is now. I'll see what we can do.