dependency_scanning + sbt: doesn't report vulnerabilities for sub-projects
Ask
Improve documentation to better set expectations
Summary
It seems gemnasium-maven-dependency_scanning only reports vulnerabilities based on the assumption a build.sbt file corresponds to a single artifact.
For sbt projects using sub-projects, this is not necessarily the case:
- sub-
.sbtfiles may be named differently thanbuild.sbt(s.a.my-sub-module.sbt), - there may no sub-
.sbtat all (like when only "inheriting" settings).
Steps to reproduce
Have the gemnasium-maven-dependency_scanning job run on a build.sbt project with sub-projects with no .sbt file and/or a .sbt file named differently than build.sbt.
Example Project
(not provided)
What is the current bug behavior?
gemnasium-maven-dependency_scanning only report vulnerabilities on the "root" build.sbt.
What is the expected correct behavior?
gemnasium-maven-dependency_scanning report vulnerabilities on sub-projects as well, whether they define a build.sbt file or not.
Relevant logs and/or screenshots
(not provided)
Possible fixes
Given gemnasium-maven-dependency_scanning is still based on sbt ivyReport that actually produces a report for each sub-project (as shown by sbt show ivyReport, the fix simply consists in gathering all of them.
Implementation plan
-
Document the current limitation of only scanning the top-level project for sbt and not the sub-project. This will be supported with #255045 (closed)
-
update gemnasium-mavensbt builder to aggregate graph artifacts from sub-projects -
update project collection in analyze -
fix reporting so that the correct sub-projects and dependency paths are shown in list -
release gemnasium-maven