GH-500 · Question #27
GH-500 Question #27: Real Exam Question with Answer & Explanation
The correct answer is D: A dependency graph is created, and Dependabot compares the graph to the GitHub Advisory. {"question_number": 2, "correct_answer": "D", "explanation": "Dependabot's most complete method for finding vulnerabilities is a two-step process: GitHub first builds a dependency graph by parsing manifest and lock files (e.g., package-lock.json, requirements.txt), then Dependabo
Question
Which of the following is the most complete method for Dependabot to find vulnerabilities in third- party dependencies?
Options
- ACodeQL analyzes the code and raises vulnerabilities in third-party dependencies.
- BDependabot reviews manifest files in the repository.
- CThe build tool finds the vulnerable dependencies and calls the Dependabot API.
- DA dependency graph is created, and Dependabot compares the graph to the GitHub Advisory
Explanation
{"question_number": 2, "correct_answer": "D", "explanation": "Dependabot's most complete method for finding vulnerabilities is a two-step process: GitHub first builds a dependency graph by parsing manifest and lock files (e.g., package-lock.json, requirements.txt), then Dependabot continuously compares that graph against the GitHub Advisory Database (GHSA). This covers both direct and transitive dependencies across the entire project. CodeQL (A) analyzes first-party code for code-level vulnerabilities, not third-party dependency vulnerabilities. Reviewing manifest files alone (B) is incomplete without a vulnerability database to compare against. There is no build-tool-to-Dependabot API mechanism as described in (C).", "generated_by": "claude-sonnet", "llm_judge_score": 4}
Topics
Community Discussion
No community discussion yet for this question.