Allow to manually declare dependencies

Problem to solve

Dependency Scanning currently only supports declared dependencies in lock files (ex: Gemfile.lock). Some projects use components that are not always declared in these files. As a Developer or a Security Analyst, I want to declare these dependencies explicitly so that they appear in the Dependency List of my project, and GitLab can check if they're vulnerable.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Dana (Data Analyst)
• Simone (Software Engineer in Test)

Further details

Many projects rely on upstream and open source dependencies. They're part of the Bill of Materials to build the project, yet, they don't appear necessarily in lock files. We need to let users declare these dependencies somehow.

Proposal

Allow users to be able to point at sbom sources in specific formats that we can (skip build) process (inform of vulnerabilities and risks) or not (they may just wish to have a fully packaged sbom)

Some dependencies are added directly in Dockerfiles, but it can vary a lot and detecting if and what software has been added can get tedious.

The groupdistribution team is already using various files that we could leverage:

• deps.yml, which is a file used for dependencies.io
• version-manifest.txt (or version-manifest.json). Note that the Distribution team is generating this file automatically.

We can also adopt a simple YAML file following our JSON Reports format. The data of this file would be merged with the result of the discovery part of the Dependency Scanning job(s) so that user can add metadata to be used later on in Dashboards.

Once we have decided how to declare dependencies, we can use this information for:

• Reporting licenses by hand
• Check for vulnerable components using gitlab-depscan (only if we use version-manifest.json apparently).
• Reporting dependencies in the dependency list.
• Check for new releases for these components (related issue: #214016 (closed))

Example:

The SpotBugs analyzer is relying on spotbugs under the hood. If that dependency was declared explicitly, we could monitor for updates on the project page, and check for security issues with gitlab-depscan.

Permissions and Security

Same as repo access.

Documentation

Update https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html and https://docs.gitlab.com/ee/user/application_security/dependency_list/

Availability & Testing

TBD

What does success look like, and how can we measure that?

• More dependencies handled by GitLab
• Less time spent on checking for new analyzers for our Engineering Managers

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

Could be, maybe the Distribution team would be interested as well (cc @marin).

Links / references

• #214016 (closed)

/cc @kmann @gonzoyumo @NicoleSchwartz