Recently inherited a codebase and did a proper dependency audit.
At first glance, things looked fine. Around 70 to 80 direct dependencies, mostly maintained.
Then I checked the full tree.
It blew up to 1000 plus transitive packages. Many untouched for years. Some effectively abandoned, a few with known vulnerabilities and no fixes.
To make it more interesting, we have a compliance review in a few weeks and need to produce an SBOM.
The problem is the tooling. Everything gets flagged at similar severity with no context about what is actually reachable in the app vs what just exists somewhere deep in the tree. So instead of clarity, I get a huge list of issues I cannot realistically fix in time.
This isn’t a clean greenfield setup either. It’s something that evolved over years.
Trying to figure out:
How do you approach this under time pressure?
Do you only focus on reachable vulnerabilities?
How do you present an SBOM without it looking like everything is on fire?
Would really appreciate how others have handled similar situations.