Show vulnerabilities in transitive packages for PackageReference type projects in PMUI

[xavierdecoster]

A developer should be able to see a package vulnerability indicator for any known vulnerability in a transitive package in their dependency graph. 95% of vulnerable dependencies are transitive ones and we should bring awareness to this to help the ecosystem shift left.

[nkolev92]

Isn't this a dup of #5887?

There definitely are some scope problems in #5887, but the OP is about showing the transitive dependencies.

[drewgillies]

Thanks, @nkolev92. I wasn't aware of #5887, and it's a very important piece of background here. It looks on the surface like this issue is dependent on #5887 rather than a dupe of it. I've renamed this issue to track the specifics of showing vulnerabilities in transitive packages. #5887 has some interesting flowthroughs to this issue: #5553 and this epic: #5877. It seems like there is more discussion to be had in this space before transitive dependencies for PackageReference projects can be exposed in PMUI (i.e. strategy for version resolution, promotion to top-level, pruning) before we can move to including vulnerable or deprecated statuses on transitive packages.

In the spec https://github.com/NuGet/Home/wiki/Flag-vulnerable-packages, the MVP includes this:

• Show transitive packages for PackageReference type projects in PMUI

It's important to note that this bullet point encompasses #5887 and all of its longstanding discussions.
@JonDouglas we may need to spend some time with these, and resolving our strategy on general transitive dependency visibility in PMUI is a precursor to any vulnerability work here.
/cc @aortiz-msft @skofman1 @anangaur

[drewgillies]

This needs to be spiked before it can have a real estimate.

[nkolev92]

Note for implementer: I added a pessimistic estimate in the client project.

https://github.com/NuGet/Client.Engineering/pull/1391 has info that should be really helpful.