GitLab Next

Projects
Groups
Snippets
Help

Loading...
Help
Sign in / Register

GitLab

Project overview
Repository
Issues 35,785
Merge Requests 1,239
- Merge Requests 1,239
Requirements
CI / CD
Operations
Packages & Registries
Analytics
Snippets
- Snippets
Members
- Members
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards

Collapse sidebar

GitLab.org
GitLab
Issues
#10071

Closed

Open

Opened Feb 28, 2019 by Fabio Busatto @bikebillyContributor11 of 11 tasks completed11/11 tasks

Extract all the dependencies in the project

Problem to solve

The Bill Of Materials (BOM) is a list of all the dependencies that are used in a given project.

We need to run a tool on the code and extract all the information. This can be done during a CI/CD job, in a similar way Dependency Scanning and License Management work.

Once the list is completed, it will be sent to the backend and presented to users.

Target audience

Delaney, Development Team Lead, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#delaney-development-team-lead
Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst

Proposal

Reuse the Dependency Scanning (DS) tool to generate a dependency list for the project. We need all the dependencies, not just the ones with vulnerabilities.

Once the dependency list is created, it is sent to the backend using CI's reports syntax.

In a first iteration, we extend the existing DS report syntax to include a dependency list. This makes possible to reuse all Gemnasium-based projects to collect information on the dependencies, and aggregate all the dependency list into a single one. The DS report syntax is likely to evolve quickly as we improve the dependency list but it has to remain backward compatible at all times. See discussion

The rails backend will be updated to process the dependency list included in the DS reports and to serve it to the frontend using dedicated API endpoints (out of scope).

The dependency list may include packages that are not explicitly listed in the dependency files checked in the repo but nevertheless installed because of these. In the context of Python project, the list may include a package that is not listed in requirements.txt.

update common library
- add dependency_files to reports, with packager, path and dependencies
- merge dependency lists when merging reports
- bump format version
update gemnasium
- upgrade gemnasium dependency
- generate dependency list
update reverse dependencies of common, gemnasium
- update gemnasium-maven
- update gemnasium-python
- update dependency-scanning
update test projects (expectations)

Each updated project must be git tagged and published, and the changelog has to be updated too.

Permissions and Security

Since this is an extension of the existing jobs, permissions will be the same.

Documentation

We need to document the format for this new section.

Edited Jun 05, 2019 by Fabien Catteau

Assignee

Assign to

12.0

Milestone

12.0 (Past due)

Assign milestone

Time tracking

None

Due date

None

Reference: gitlab-org/gitlab#10071