Free Microsoft GH-500 Actual Exam Questions - Question 13 Discussion
You are a maintainer of a repository and Dependabot notifies you of a vulnerability. Where could the
vulnerability have been disclosed? (Each answer presents part of the solution. Choose two.)
I see where A and C come from, but I think B is worth considering too. The dependency graph isn’t just for mapping dependencies; it can highlight vulnerabilities once they’re known. If a vulnerability is discovered, it gets flagged there as part of the dependency info. So maybe the vulnerability could be disclosed or at least shown in the dependency graph itself alongside the affected packages. D seems off since manifest and lock files just list dependencies, not vulnerabilities. So my picks would be A and B.
A/C? The National Vulnerability Database is a known public source for disclosed vulnerabilities, and GitHub security advisories are another official channel where these get reported. B and D seem more like tools for managing or detecting the issue rather than sources of disclosure. So, the actual vulnerability details would originate from A and C, not from dependency graphs or manifest files.
It’s A and C.