Dependency Scanning for pnpm projects (Gemnasium)

Note to wider-community, sales, support and customer success

As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Release notes

Draft: GitLab Dependency Scanning now supports pnpm projects.

Problem to solve

Support pnpm projects in Dependency Scanning (Gemnasium).

Intended users

User experience goal

Proposal

Similar to npm and yarn, pnpm has lock files named pnpm-lock.yaml. These could be directly processed by Gemnasium.

Further details

Permissions and Security

Documentation

To be documented in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers

Availability & Testing

Write unit tests for the new pnpm lock file parser.
Add image spec to Gemnasium, to check that the image creates the expected report when scanning a pnpm project.
Add spec for the CI template, to check that the scanning job is triggered when there's a pnpm lock file.

A job integration test doesn't seem necessary.

Available Tier

GitLab Ultimate

Feature Usage Metrics

What does success look like, and how can we measure that?

pnpm projects are scanned by Gemnasium. Vulnerabilities are reported in the vulnerability report page. Dependencies are listed in the Dependency List.

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Implementation plan

Update Gemnasium.
- Add support for PNPM (gitlab-org/security-products/analyzers/gemnasium!455 - merged)
  - Add parser for pnpm lock file, and unit tests.
  - Update finder to detect pnpm project. Update tests.
  - Enable pnpm file parser in main.go.
  - Add image spec for pnpm projects.
Update documentation.
- Add PNPM support (!117427 - merged)
  - Add pnpm to supported languages.
Update CI template and its specs.
- Add PNPM support (!117427 - merged)
  - Trigger Gemnasium job when there's a pnpm lock file.
@smeadzinger - Announce in release post

Edited Apr 14, 2023 by Olivier Gonzalez