Spike: Where do we use Dependency Scanning reports in the codebase?
Time-boxed: 2 days
Topic to Evaluate
Before implementing a new method of Dependency Scanning that no longer relies on parsing Dependency Scanning reports, we need to know where legacy Dependency Scanning reports are used to ingest vulnerabilities. See Dependency Scanning: CVS Trigger scans on Advis... (&9534 - closed)
Tasks to Evaluate
-
Identify bits of code that directly use Dependency Scanning reports: -
Models -
EE::MergeRequest: #394728 (comment 1304715320) -
EE::Ci::Pipeline: #394728 (comment 1304579100) and #394728 (comment 1304577087)
-
-
Controllers -
EE::Projects::MergeRequestsController: #394728 (comment 1304715320) -
EE::Projects::PipelinesController: #394728 (comment 1304950894)
-
-
Services -
Security::Ingestion::IngestReportsService: #394728 (comment 1304674048)
-
-
Finders -
Security::FindingsFinder: #394728 (comment 1304674048) -
Security::PureFindingsFinder: #394728 (comment 1304674048) -
Sbom::DependenciesFinder: #394728 (comment 1303104305) (does not use a dependency report but can be reused to fetch dependencies using sbom components) -
Security::PipelineVulnerabilitiesFinder: #394728 (comment 1304616803)
-
-
Workers -
StoreSecurityReportsWorker: #394728 (comment 1304674048)
-
-
-
Ensure that classes cover all areas where project dependencies and findings are exposed -
REST API -
GraphQL -
MR widget -
Project > Security and Compliance > Dependency list -
Project > Security and Compliance > Vulnerability report -
Pipeline > Security
-
-
Optionally, make specific suggestions on how to update the code, and add abstraction layers to switch between the old implementation and the new implementation -
Create issues: - Store security findings detected in SBOMs when ... (#395704 - closed) • Unassigned • Backlog • At risk
- Generate dependency list from CycloneDX components (#395724 - closed) • Oscar Tovar
- Remove deprecated EE::Ci::Pipeline#with_legacy_... (#395725) • Unassigned • Backlog
- Deprecate the `dependency_files` field in the s... (#396376 - closed) • Olivier Gonzalez, Alana Bellucci • 16.9 • Needs attention
Auto-Summary 🤖
Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:. For example, the following are all valid points:
#### POINT: This is a point* point: This is a point+ Point: This is a point- pOINT: This is a pointpoint: This is a **point**Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:. For example, the following are all valid topics:
# Topic: Inline discussion topic 1## TOPIC: **{+A Green, bolded topic+}**### tOpIc: Another topicQuick Actions
Action Description /discuss sub-topic TITLECreate an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINKLink an issuable as a child of this discussion
Last updated by this job
- TOPIC Where do we make direct use of Dependency Scanning reports? #394728 (comment 1303007506)
- TOPIC How to refactor code that relies on Dependency Scanning reports #394728 (comment 1303008515)
- TOPIC Should we deprecate support for the dependency scanning report? #394728 (comment 1306110786)
- TOPIC How should we handle findings only discovered by the new dependency scanning method when the feature flag is disabled? #394728 (comment 1309800001)
- TOPIC How are dependencies added to the dependency list? #394728 (comment 1312335970)
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.