dependency scanning scan of Sbt sub-projects

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Release notes

Problem to solve

reported customer item:

It seems gemnasium-maven-dependency_scanning only reports vulnerabilities based on the assumption a build.sbt file corresponds to a single artifact. For sbt projects using sub-projects, this is not necessarily the case:

• sub-.sbt files may be named differently than build.sbt (s.a. my-sub-module.sbt),
• there may no sub-.sbt at all (like when only "inheriting" settings).

the OWASP Dependency Checker happens to work very well for sbt thanks to the sbt-dependency-check plugin that is able to generate an aggregate report whose format is quite easy to transform to the GitLab DS one. This wouldn't be an one-off in that OWASP happens to benefit from pre-baked integration into a variety of build tools.

from #250650 (closed)

Intended users

User experience goal

Proposal

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references