GH-500 Question #84: Real Exam Question with Answer & Explanation

Question

How does Dependabot use the dependency graph in GitHub Advanced Security (GHAS)?

Options

• ATo identify and address security vulnerabilities in the codebase.
• BTo automatically update project dependencies to their latest, secure versions.
• CTo generate alerts for potential security vulnerabilities in project dependencies.
• DTo cross-reference dependency data with the GitHub Advisory Database.

Explanation

Dependabot leverages the dependency graph by cross-referencing the list of detected dependencies against the GitHub Advisory Database to identify packages with known security vulnerabilities.

Common mistakes.

• A. While Dependabot does help identify vulnerabilities, this answer omits the specific mechanism of cross-referencing with the GitHub Advisory Database, making it an incomplete and imprecise description.
• B. Automatically updating dependencies to their latest versions describes Dependabot version updates, a distinct feature that is not specifically about how Dependabot uses the dependency graph for security purposes.
• C. Generating alerts is the outcome of Dependabot's process, not a description of how it uses the dependency graph; the underlying mechanism is the cross-reference with the advisory database.

Concept tested. Dependabot dependency graph and GitHub Advisory Database integration

Reference. https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

No community discussion yet for this question.