Report vulnerable dependency paths for sbt (scala)

Problem to solve

Dependency Scanning should report the dependency paths for vulnerable dependencies found in Scala projects using sbt. These dependency paths can then be shown in the UI, including in the dependency list. See #227620 (closed)

Gemnasium supports Sbt via the ivyReport task, which returns a full dependency graph. Unfortunately, this cannot be used for projects using 1.3 and above. Because of that, this issue is blocked until the completion of #271345 (closed)

Proposal

Emit a report format from the gemnasium-maven analyzer from which a dependency path can be generated by gemnasium.

Implementation plan

• update the specific lock file parser so that it lists dependency links, and release a new version of gemnasium
• update the gemnasium dependency in gemnasium-maven, and release a new version (unless #198361 (closed) is done)
• update expected Dependency Scanning reports in test projects using this package manager
• update Dependency List documentation

Permissions and Security

N/A

Documentation

Sbt should be listed as a package manager for which GitLab provides paths to vulnerable dependencies. See https://docs.gitlab.com/ee/user/application_security/dependency_list/#dependency-paths

Availability & Testing

To be tested doing automatically when doing QA for the analyzer project and checking the generated report.

What does success look like, and how can we measure that?

The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.

What is the type of buyer?

GitLab Ultimate

Links / references