Documentation update - Clarify Dependency Scanning behavior when project doesn't have a lockfile

Problem to solve

Our Dependency Scanning feature behaviour is ambiguous when running on a project that doesn't have a lockfile, aleas the package manager is able to provide one.

This mainly happens when the project is hosting a library's source code instead of an application.

As a result, some analyzers (like gemnasium) are not triggered whereas some others are (Retire.JS).

Further details

Proposal

Clarify our Dependency Scanning documentation to explain the different behavior when a lockfile is not present.

We can also suggest possible workarounds like overriding the detection rules of the gemnasium job and generating the lockfile in a before_script.

Who can address the issue

groupcomposition analysis backend team member

Documentation update - Clarify Dependency Scanning behavior when project doesn't have a lockfile

Problem to solve

Further details

Proposal

Who can address the issue

Other links/references