dependency_scanning + sbt: doesn't report vulnerabilities for sub-projects

Ask

Improve documentation to better set expectations

Summary

It seems gemnasium-maven-dependency_scanning only reports vulnerabilities based on the assumption a build.sbt file corresponds to a single artifact. For sbt projects using sub-projects, this is not necessarily the case:

  • sub-.sbt files may be named differently than build.sbt (s.a. my-sub-module.sbt),
  • there may no sub-.sbt at all (like when only "inheriting" settings).

Steps to reproduce

Have the gemnasium-maven-dependency_scanning job run on a build.sbt project with sub-projects with no .sbt file and/or a .sbt file named differently than build.sbt.

Example Project

(not provided)

What is the current bug behavior?

gemnasium-maven-dependency_scanning only report vulnerabilities on the "root" build.sbt.

What is the expected correct behavior?

gemnasium-maven-dependency_scanning report vulnerabilities on sub-projects as well, whether they define a build.sbt file or not.

Relevant logs and/or screenshots

(not provided)

Possible fixes

Given gemnasium-maven-dependency_scanning is still based on sbt ivyReport that actually produces a report for each sub-project (as shown by sbt show ivyReport, the fix simply consists in gathering all of them.

Implementation plan

  • Document the current limitation of only scanning the top-level project for sbt and not the sub-project. This will be supported with #255045 (closed)
  • update gemnasium-maven sbt builder to aggregate graph artifacts from sub-projects
  • update project collection in analyze
  • fix reporting so that the correct sub-projects and dependency paths are shown in list
  • release gemnasium-maven
Edited by Igor Frenkel