Extract all the dependencies in the project
Problem to solve
The Bill Of Materials (BOM) is a list of all the dependencies that are used in a given project.
We need to run a tool on the code and extract all the information. This can be done during a CI/CD job, in a similar way Dependency Scanning and License Management work.
Once the list is completed, it will be sent to the backend and presented to users.
Target audience
-
Delaney, Development Team Lead, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#delaney-development-team-lead
-
Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
Proposal
Reuse the Dependency Scanning (DS) tool to generate a dependency list for the project. We need all the dependencies, not just the ones with vulnerabilities.
Once the dependency list is created, it is sent to the backend using CI's reports
syntax.
In a first iteration, we extend the existing DS report syntax to include a dependency list. This makes possible to reuse all Gemnasium-based projects to collect information on the dependencies, and aggregate all the dependency list into a single one. The DS report syntax is likely to evolve quickly as we improve the dependency list but it has to remain backward compatible at all times. See discussion
The rails backend will be updated to process the dependency list included in the DS reports and to serve it to the frontend using dedicated API endpoints (out of scope).
The dependency list may include packages that are not explicitly listed in the dependency files checked in the repo but nevertheless installed because of these.
In the context of Python project, the list may include a package that is not listed in requirements.txt
.
-
update common library -
add dependency_files
to reports, withpackager
,path
anddependencies
-
merge dependency lists when merging reports -
bump format version
-
-
update gemnasium -
upgrade gemnasium dependency -
generate dependency list
-
- update reverse dependencies of common, gemnasium
-
update gemnasium-maven -
update gemnasium-python -
update dependency-scanning
-
-
update test projects (expectations)
Each updated project must be git tagged and published, and the changelog has to be updated too.
Permissions and Security
Since this is an extension of the existing jobs, permissions will be the same.
Documentation
We need to document the format for this new section.