Report vulnerable dependency paths for sbt (scala)
Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Scala projects using sbt
. These dependency paths can then be shown in the UI, including in the dependency list. See #227620 (closed)
Gemnasium supports Sbt via the ivyReport
task, which returns a full dependency graph. Unfortunately, this cannot be used for projects using 1.3 and above. Because of that, this issue is blocked until the completion of #271345 (closed)
Proposal
Emit a report format from the gemnasium-maven
analyzer from which a dependency path can be generated by gemnasium
.
Implementation plan
-
update the specific lock file parser so that it lists dependency links, and release a new version of gemnasium -
update the gemnasium
dependency in gemnasium-maven, and release a new version (unless #198361 (closed) is done) -
update expected Dependency Scanning reports in test projects using this package manager -
update Dependency List documentation
Permissions and Security
N/A
Documentation
Sbt should be listed as a package manager for which GitLab provides paths to vulnerable dependencies. See https://docs.gitlab.com/ee/user/application_security/dependency_list/#dependency-paths
Availability & Testing
To be tested doing automatically when doing QA for the analyzer project and checking the generated report.
What does success look like, and how can we measure that?
The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.