Watch if this applies to you and find out how to fix this :).
Why should you care? Because if you’re using industry-standard software leader Dependabot, then your devs didn’t fix the recent Log4J problem properly.
If you’re using Dependabot, then the tools you’re using now aren’t getting the job done.
In practice, Dependabot has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.
In theory Dependabot is exactly what the world needs to keep software dependency chains safe from known vulnerabilities: tightly integrated with Github; auto-generates pull-requests; plugged into Github Security Advisories (GHSA); support for a wide range of programming languages and dependency managers.
But in practice Dependabot has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.
Do you know any languages that currently DO NOT support lock files?
Java / Maven !
This has some bad implications if you’re using Dependabot to protect yourself from Log4J (since Log4J is a Java library).