API to retrieve Dependency List data
Problem to solve
You will now be able to leverage the data contained in the Dependency List via an API so that you can create automated processes or to feed other external tools. This API should make the generation of dependency data needed for compliance reports easier and faster.
This is a public API to retrieve information for this list in a JSON format.
Target audience
-
Delaney, Development Team Lead
-
Sam, Security Analyst,
Proposal
Create a public API endpoint that can be used to get a JSON file with the dependency list. Optionally, users can request to have additional information attached, like the security status.
Permissions and Security
Same permissions that guarantee access to the same information via the UI.
Documentation
Add documentation and examples to our API docs. Mention the availability of APIs in the main BOM doc page.
What does success look like, and how can we measure that?
Number of API calls.
Implementation plan
-
Add endpoint to return project dependencies https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14612 -
Add filtering and sort options https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14562 -
Add authorization policy https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14561 -
Add documentation https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30623#note_192348037
Request and response schema
GET /projects/:id/dependencies
The endpoint will provide filtering by package_manager
. Available options:
- bundler
- yarn
- npm
- maven
- composer
- pip
Example request
GET /projects/42/dependencies?package_manager=bundler
GET /projects/42/dependencies?package_manager[]=pip&package_manager[]=yarn
Response
{
{
"name": "dependency_name",
"version": "version_number",
"package_manager": "package_manager_name",
"dependency_file_path": "path_to_package_file"
},
...
}
Example response
{
{
"name": "mini_portile2",
"version": "2.2.0",
"package_manager": "bundler",
"dependency_file_path": "rails/Gemfile.lock"
},
{
"name": "nokogiri",
"version": "1.8.0",
"package_manager": "bundler",
"dependency_file_path": "Gemfile.lock"
},
}