Store Dependency Scanning scan results into the database

Problem to solve

Data from Dependency Scanning reports should be in the database, and consumers should use that backend instead of the raw JSON report.

This is required in order to present Dependency Scanning results in a group-level Security Dashboard. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6709 and https://gitlab.com/gitlab-org/gitlab-ee/issues/6240

Also, it could be use to improve the performance of the existing Security Dashboard. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6165

Further details

If consumers need to elaborate or aggregate data from many reports (e.g., group level features) it is not possible to use artifacts for that without heavily affecting performances.

Proposal

Save Dependency Scanning reports in the database when they are collected from the Runner. Make this information available to the frontend via backend calls.

For the first iteration, it will not replace the artifact access. We can decouple this change and update the frontend independently.

Implementation should follow what's been already done for SAST:

Add a new parser for DS. A lot can be DRY with the existing sast parser
Enable that parser

This requires https://gitlab.com/gitlab-org/gitlab-ee/issues/5908 to be completed to have Dependency Scanning reports compatible with our DB model.

Edited Apr 21, 2023 by 🤖 GitLab Bot 🤖