Deprecate and remove the `artifacts:paths` keyword from Dependency-Scanning template
Why are we doing this work
Dependency Scanning SBoMs were initially stored as regular artifacts, but were changed to reports
so that they could be ingested by the GitLab backend. For now, the artifacts are stored as both
archive
and cyclonedx
types. The archive type is no longer needed now that we have
cyclonedx reports, so we should see about removing it.
The following discussion from !99126 (merged) should be addressed:
@fcatteau
: Thanks! Yes, I would do option2.
too, and proceed in 3 steps:
Start uploading the SBOMs asDone with !99126 (merged)reports
.- Deprecate SBOM
artifacts
, and document how SBOMreports
can be merged.- Drop SBOM
artifacts
.We might not even need to migrate the integration tests of Gemnasium, depending on when we drop the existing Dependency Scanning jobs, and replace them with SBOM generators.
That said, SBOMs artifacts are in beta according to the docs, so we could also drop them without going through a deprecation cycle. If we decide to do that, we should make sure that merging mutiple SBOMs as documented today breaks. For instance, we could save a warning like
CylconeDX artifacts have been replaced with reports
into a JSON file that matches theartifacts:paths
. It's not JSON, so surely the merge will fail.To me, this is a product decision.
In any case, I recommend we keep the existing SBOM
artifacts
in this MR, and continue the conversation on removing them elsewhere.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: