Add Dependency Scanning information to the Bill Of Materials
Problem to solve
The Bill Of Materials (BOM) lists all the dependencies in a project.
One of the relevant information people are interested in for this view is the security status for each dependency. In this way, they can easily check (and prove to Compliance) that the app doesn't contain any insecure component.
We already have Dependency Scanning results available. We should link this information in the BOM view.
This is different from the Security Dashboard because here we have a dependency-centric view, listing both vulnerable and safe components. The Security Dashboard is vulnerability-centric and shows only vulnerable ones.
Delaney, Development Team Lead
Sam, Security Analyst
Add a new column to the BOM with the security status for each given dependency, if available.
The status could have three values:
- green: the dependency scanning job run, and no vulnerability was detected
- red: the dependency scanning job run, and a vulnerability was detected
- unknown: the dependency scanning didn't run, or results are not available
Users can click on the status and see more details about that.
Permissions and Security
Permissions to see security status should be consistent with permissions of the same information in the merge request widget.
We need to document which information is available and explain the possible values.
We can also crosslink this from the Dependency Scanning documentation.
What does success look like, and how can we measure that?
Number of page views for the BOM.