Dependency Scanning for projects using sbt package manager (#12390) · Issues · GitLab.org / GitLab

Dependency Scanning for projects using sbt package manager

Problem to solve

Dependency scanning does not currently support sbt affecting users relying on this tool. We should fix this.

Further details

Proposal

Add a new analyzer type for scanning sbt projects.

Implementation plan

Validate sbt-dependency-graph plugin for dependency scanning use case
Update gemnasium-maven to leverage above plugin and generate a report in the common format
[-] Update gemnasium/semver for parsing ivy revisions added by sbt
Update gemnasium to parse the new dependency report generated
Add vulnerable project to test projects
[-] Update gemnasium-maven dependency in Dependency Scanning orchestrator (Docker-in-Docker mode)
Switch gemnasium-maven to a tagged version of gemnasium after merging gitlab-org/security-products/analyzers/gemnasium!54 (merged)

Documentation

Update supported languages
Add any options required by this new analyzer

Testing

Create qa stage for this analyzer running against test project (added in implementation plan)

What does success look like, and how can we measure that?

Ability to generate a dependency scanning report for projects that are built with sbt.

Links / references

Product

release post

### Problem to solve

Dependency scanning does not currently support `sbt` affecting users relying on this tool. We should fix this.

### Further details

### Proposal

Add a new analyzer type for scanning sbt projects.

### Implementation plan

1. [x] Validate [sbt-dependency-graph](https://github.com/jrudolph/sbt-dependency-graph) plugin for dependency scanning use case
1. [x] Update `gemnasium-maven` to leverage above plugin and generate a report in the common format
1. [-] Update `gemnasium/semver` for parsing ivy revisions added by sbt
1. [x] Update `gemnasium` to parse the new dependency report generated
1. [x] Add vulnerable project to [test projects](https://gitlab.com/gitlab-org/security-products/tests/)
1. [-] Update `gemnasium-maven`  dependency in Dependency Scanning orchestrator (Docker-in-Docker mode)
1. [x] Switch `gemnasium-maven` to a tagged version of `gemnasium` after merging https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/merge_requests/54

### Documentation

- [x] Update [supported languages](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#supported-languages-and-package-managers)
- [x] Add any options required by this new analyzer

### Testing