Allow all Java and Python files to be scanned
Release notes
Problem to solve
As an Application Security Engineer, I need visibility into all of the vulnerabilities for my projects, including monolithic Java/Python projects with multiple requirements files.
Intended users
User experience goal
Proposal
TBD. See #393078 (comment 1685733755)
Proposal A
- Two new CI variables,
DS_JAVA_SCAN_FILES
andDS_PYTHON_SCAN_FILES
will be added for Dependency Scanning to configure one of the following behaviors for Java/Python projects:- When the variable is not set (default value is null to avoid a breaking change) then then only the first detected file will be scanned.
- When the variable is set to
[]
then all detected files in the project will be scanned. - The variables will also accept an array of paths which can be used to list specific files which will be scanned. These paths will have support for basic glob patterns (
*
,**
,?
, and[
).
- When more than one file is to be scanned, either multiple threads or multiple jobs will be used to parallelize the workload and minimize the total scan time.
- When the
PIP_REQUIREMENTS_FILE
variable is set in addition toDS_PYTHON_SCAN_FILES
then the file defined inPIP_REQUIREMENTS_FILE
will be scanned in addition to any identified file(s) due toDS_PYTHON_SCAN_FILES
. - The
PIP_REQUIREMENTS_FILE
variable will be deprecated.
Proposal B
- Introduce a new CI variable
DS_SCAN_PATHS
.- This is supported by gemnasium, gemnasium-maven, and gemnasium-python.
- NOTE: At the moment gemnasium-maven and gemnasium-python can only scan one Java and Python project, respectively.
- Deprecate existing variables that overlap with the new one.
PIP_REQUIREMENTS_FILE
NOTE: DS_MAX_DEPTH
and DS_EXCLUDED_PATHS
don't necessarily conflict with the new one
if DS_SCAN_PATHS
contains paths of directories.
For example, let's consider a repo which top-level directories are client
, server
, and shared
.
server
and shared
are ignored by setting DS_SCAN_PATHS
to client
.
Then sub-directories of client
can be ignored using DS_MAX_DEPTH
and DS_EXCLUDED_PATHS
.
Further details
Permissions and Security
Documentation
The new variables will be documented in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
Availability & Testing
Available Tier
Feature Usage Metrics
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
What is the competitive advantage or differentiation for this feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.