Improve the patterns used for the dependency scanning jobs to be dependency files-specific
At the moment, we run the dependency scanning jobs for any code/backstage/qa change:
.reports:rules:dependency_scanning:
rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/'
when: never
# - <<: *if-default-branch-refs # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
- <<: *if-default-refs
changes: *code-backstage-qa-patterns
allow_failure: true
I think we should limit the cases when these jobs run similarly to how the original jobs do it.
For instance, for the gemnasium-dependency_scanning
job, we should introduce a new .reports:rules:gemnasium-dependency_scanning
rule to specifically replace https://gitlab.com/gitlab-org/gitlab/-/blob/1924379cf1d03742b9a16512ae23aec069cef232/.gitlab/ci/reports.gitlab-ci.yml#L77.
This rule should be a mix of the default rule and our own conditions, something like
.reports:rules:gemnasium-dependency_scanning:
rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/'
when: never
# - <<: *if-default-branch-refs # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
- <<: *if-default-refs
changes: *dependency-patterns
allow_failure: true
We'd have to define this new dependency-patterns
patterns list as well, to match the default one, e.g.
.dependency-patterns: &dependency-patterns
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- '{composer.lock,*/composer.lock,*/*/composer.lock}'
- '{gems.locked,*/gems.locked,*/*/gems.locked}'
- '{go.sum,*/go.sum,*/*/go.sum}'
- '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
- '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
- '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
- '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
- '{conan.lock,*/conan.lock,*/*/conan.lock}'
We might also want to do something similar for other dependency scanning jobs.