Extract all the dependencies in the project
Problem to solve
The Bill Of Materials (BOM) is a list of all the dependencies that are used in a given project.
We need to run a tool on the code and extract all the information. This can be done during a CI/CD job, in a similar way Dependency Scanning and License Management work.
Once the list is completed, it will be sent to the backend and presented to users.
Delaney, Development Team Lead, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#delaney-development-team-lead
Reuse the Dependency Scanning (DS) tool to generate a dependency list for the project. We need all the dependencies, not just the ones with vulnerabilities.
Once the dependency list is created, it is sent to the backend using CI's
In a first iteration, we extend the existing DS report syntax to include a dependency list. This makes possible to reuse all Gemnasium-based projects to collect information on the dependencies, and aggregate all the dependency list into a single one. The DS report syntax is likely to evolve quickly as we improve the dependency list but it has to remain backward compatible at all times. See discussion
The dependency list may include packages that are not explicitly listed in the dependency files checked in the repo but nevertheless installed because of these.
In the context of Python project, the list may include a package that is not listed in
update common library
dependency_filesto reports, with
- merge dependency lists when merging reports
- bump format version
- upgrade gemnasium dependency
- generate dependency list
- update reverse dependencies of common, gemnasium
- update gemnasium-maven
- update gemnasium-python
- update dependency-scanning
- update test projects (expectations)
Each updated project must be git tagged and published, and the changelog has to be updated too.
Permissions and Security
Since this is an extension of the existing jobs, permissions will be the same.
We need to document the format for this new section.