dependency_scanning + sbt: doesn't report vulnerabilities for sub-projects
Ask
Improve documentation to better set expectations
Summary
It seems gemnasium-maven-dependency_scanning
only reports vulnerabilities based on the assumption a build.sbt
file corresponds to a single artifact.
For sbt
projects using sub-projects, this is not necessarily the case:
- sub-
.sbt
files may be named differently thanbuild.sbt
(s.a.my-sub-module.sbt
), - there may no sub-
.sbt
at all (like when only "inheriting" settings).
Steps to reproduce
Have the gemnasium-maven-dependency_scanning
job run on a build.sbt
project with sub-projects with no .sbt
file and/or a .sbt
file named differently than build.sbt
.
Example Project
(not provided)
What is the current bug behavior?
gemnasium-maven-dependency_scanning
only report vulnerabilities on the "root" build.sbt
.
What is the expected correct behavior?
gemnasium-maven-dependency_scanning
report vulnerabilities on sub-projects as well, whether they define a build.sbt
file or not.
Relevant logs and/or screenshots
(not provided)
Possible fixes
Given gemnasium-maven-dependency_scanning
is still based on sbt ivyReport
that actually produces a report for each sub-project (as shown by sbt show ivyReport
, the fix simply consists in gathering all of them.
Implementation plan
-
Document the current limitation of only scanning the top-level project for sbt and not the sub-project. This will be supported with #255045 (closed)
-
update gemnasium-maven
sbt builder to aggregate graph artifacts from sub-projects -
update project collection in analyze -
fix reporting so that the correct sub-projects and dependency paths are shown in list -
release gemnasium-maven