Dependency Scanning support for DART projects using pub package manager
Proposal
For Dart and Flutter based projects, pub package manager is used to handle dependencies. The pubspec file could be used for detecting dependencies with known security issues. This can be integrated to Gitlab Dependency scanning feature.
Activity
added automation:ml groupcomposition analysis labels
This issue was automatically tagged with the label groupcomposition analysis by TanukiStan, a machine learning classification model, with a probability of 1.
If this label is incorrect, please tag this issue with the correct group label as well as automation:ml wrong to help TanukiStan learn from its mistakes.
This message was generated automatically. You're welcome to improve it.
-
Setting label(s) devopssecure sectionsec based on groupcomposition analysis.
added devopssecure sectionsec labels
added customer label
mentioned in issue gitlab-org/quality/triage-reports#4951 (closed)
- Link to request: Ultimate Customer
- Why we are interested: ...
- Current solution for this problem: ...
- How important to us: medium
- Questions: For awareness and initial assessment
- PM to mention (if known): @NicoleSchwartz
- TAM: @bma
added typefeature label
added GitLab Ultimate label
added backend label
added Category:Dependency Scanning [DEPRECATED] label
changed milestone to %Backlog
added [deprecated] Accepting merge requests label
A gitlab.com GitLab Ultimate customer would make use of this capability for a Flutter/Dart project.
For more details please review the Support Ticket (Internal).
added featureenhancement label
Ultimate customer is interested in this.
Another Ultimate tier customer has requested this feature.
Ticket: Internal only
The following customer is interested in this capability
- Subscription: GitLab Ultimate
- Product: self-managed
- Link to request: SF
- Priority: customer priority5
- Why interested: Many teams are using dart/flutter for mobile development
- Problem they are trying to solve: Adoption of GitLab for security scans and SBOM
- Current solution for this problem: None
- Impact to the customer of not having this: Blocker to GitLab dependency scanning
- PM to mention: @johncrowley
- SA to mention: @pedrickng
Edited by Pedric Kng
Another ultimate customer interested in this feature: https://gitlab.zendesk.com/agent/tickets/546997 (internal only)
-
@johncrowley the above-mentioned Ultimate customer is wondering if it would be possible for us to provide any kind of timeframe on this. Are you able to comment at all on:
- Whether we're looking into this
- When we would possibly look into this if we're not already?
If this isn't on your radar at all yet, I could inform them that this is the case and to track this issue for further information.
Thanks!
Edited by Chris Nightingale 
@cnightingale - this is not on the roadmap yet. We have a number of initiatives to get through before we could address supporting DART for pub package manager. This does fit into our theme of Broadening Scanner coverage, so we will add this to the roadmap at some point. I'd likely revisit next quarter to see where it can fit in.
If the customer wants to chat about groupcomposition analysis I'd be happy to get on a call with them.
Ultimate upgrade potential customer requires the same, https://gitlab.my.salesforce.com/0016100000NmTX8
mentioned in merge request gitlab-org/security-products/analyzers/container-scanning!3060 (closed)
This customer also would benefit from this request.
- Subscription: GitLab Ultimate
- Product: self-managed
- Link to request (Internal)
- PM to mention: @johncrowley
mentioned in merge request !183936 (merged)
mentioned in merge request gitlab-org/security-products/gemnasium-db!36257 (merged)
mentioned in merge request gitlab-com/www-gitlab-com!138453 (merged)
mentioned in merge request gitlab-org/security-products/analyzers/dependency-scanning!141 (merged)
