Support Paket lock files in Dependency Scanning

Release notes

TODO

Problem to solve

The request is to provide support for Paket lock files in the Gitlab Dependency Scanner. There is a demand for Paket support from shops with F#-language dependencies in their projects. We currently do not support the Paket lock file type and format, we only support Nuget.

@fcatteau mentioned in an internal discussion that supporting the Paket lock file type is low effort because it's a very similar format to the Nuget lockfile format.

• Link to request: https://gitlab.my.salesforce.com/0016100001FoxLoAAJ
• Priority: customer priority7 ::
• Why interested: Some of their projects have dependencies built using F# and they would like to analyze those dependencies for vulnerabilites
• Problem they are trying to solve: analyze dependencies built in F# for security vulnerabilities
• Current solution for this problem: none
• Impact to the customer of not having this: they are not able to analyze their F#-language dependencies with Gitlab dependency scanner
• Questions:
• PM to mention: @sam.white

Intended users

User experience goal

Proposal

Update the gemnasium analyzer of the Gemnasium so that it parses Paket.lock, and reuse what already exists for NuGet support:

• Package type support
• Version range evaluation
• Advisory DB

Alternatively, Paket could be supported via a SBOM generator when the following issues are completed:

• Extract SBoM making jobs from Dependency Scanning (&8206 - closed)
• Continuous vulnerability scans (&7886)

Monorepos are out of scope. See #381904 (comment 1188127138)

Further details

Permissions and Security

Same

Documentation

Update docs to mention Paket as a supported package manager. It's supported via paket.lock, and the same scanning job can scan multiple files.

Availability & Testing

• Unit tests for paket.lock file parser
• Image specs for gemnasium image and Paket project (fixtures)
• Job integration test for Dependency Scanning CI template and Paket project (Secure test project)
• Spec for Dependency Scanning CI template

Available Tier

GitLab Ultimate

Feature Usage Metrics

What does success look like, and how can we measure that?

GitLab reports vulnerabilities in Paket projects (with lock file) where Dependency Scanning has been configured.

What is the type of buyer?

Is this a cross-stage feature?

No

What is the competitive advantage or differentiation for this feature?

Links / references

https://fsprojects.github.io/Paket/

Implementation plan

• Add a file parser for paket.lock to Gemnasium, and enable that parser in the corresponding CLI.
• Add Paket project to fixtures, and an image spec that uses that project.
• Update Dependency Scanning CI template and latest template to trigger gemnasium-dependency_scanning when the repo contains paket.lock.
• Update spec of default CI template, and spec of latest CI template.
• Add job integration test using a dedicated Secure test project that uses Paket, and has a paket.lock.
• Update the documentation. In particular, add Paket to the list of supported package manager.