Extract all the dependencies in the project
Problem to solve
The Bill Of Materials (BOM) is a list of all the dependencies that are used in a given project.
We need to run a tool on the code and extract all the information. This can be done during a CI/CD job, in a similar way Dependency Scanning and License Management work.
Once the list is completed, it will be sent to the backend and presented to users.
Delaney, Development Team Lead, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#delaney-development-team-lead
Reuse the Dependency Scanning or the License Management tools to provide a full list of dependencies for the project. We need all the dependencies, not just the ones with licenses or vulnerabilities.
Once the list is created, send it via
reports syntax to the backend.
We can extend the existing JSON format for Dependency Scanning and License Management to include a
bom section, with a unified syntax. This means that, no matter which is the tool that we are using, the backend will receive consistent information that can be merged from different sources.
Permissions and Security
Since this is an extension of the existing jobs, permissions will be the same.
We need to document the format for this new section.