Dependency List has no language info for Go, NuGet, and Sbt dependencies
Summary
In the Dependency List, the Package Manager
column doesn't show the programming language when the package manager is Go, NuGet, or Sbt. Also, the package manager name isn't capitalized properly.
This is because these values of the package_manager
field of the Dependency Scanning reports are not handled by the Dependency List formatter:
- go
- nuget
- sbt
See #338252 (comment 655979215)
This is only impacts the UI.
Steps to reproduce
- Create a project using Go modules, NuGet, or Sbt
- Enable Dependency Scanning and trigger a pipeline
- Go to the Dependency List page
Example Project
https://gitlab.com/gitlab-org/security-products/tests/scala-sbt-multiproject/-/dependencies
What is the current bug behavior?
In the Dependency List, the aforementioned package managers show up in lowercase, and there's no programming language.
Example: sbt
What is the expected correct behavior?
The package manager shows up with a programming language, and its name is capitalized.
Example: Sbt (Java)
Relevant logs and/or screenshots
Possible fixes
The quick fix is to add the missing package managers to the formatter.
That said, this won't fix the underlying maintenance issue. Also, in the case of NuGet the programming language can't be inferred from the package manager. One way to address both problems is to make Dependency Scanning analyzers responsible for reporting a human readable name for the package manager along with language name. This involves:
- adding fields to the security report schemas
- updating the Gemnasium analyzers so that they fill up these new fields
- updating the Rails backend so that it uses these new fields while maintaining backward compatibility
Implementation plan
-
Add missing values to formatter and update corresponding specs