Update Gemnasium analyzer to adopt the new security report schema and stop generating the `dependency_files` property
Why are we doing this work
Following our migration toward SBOM report as the source of components and the decision to deprecate and remove the dependency_files
property of the Dependency Scanning report, we now need to update the analyzer to stop generating this property. To do so the analyzer must also adopt the new Security report schema that will be released with Remove the `dependency_files` property from the... (#439770 - closed)
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: Update Gemnasium's unit tests & integration tests.
Implementation plan
-
Update report
module to remove generateddependency_files
attribute ( Remove dependency files attribute from generate... (gitlab-org/security-products/analyzers/report!81 - closed) • Igor Frenkel) -
Update command
module to removedependency_files
in thejsonout
output ( Do not output dependency files in jsonout (gitlab-org/security-products/analyzers/command!51 - closed) • Igor Frenkel) -
Update Gemnasium ( Remove dependency_files attribute (gitlab-org/security-products/analyzers/gemnasium!679 - merged) • Igor Frenkel) -
Update convert
package so that it no longer setsreport.Report.DependencyFiles
. -
Update convert_test.go
to reference the JSON schema released in Remove the `dependency_files` property from the... (#439770 - closed). -
Remove DS_DEPENDENCY_PATH_MODE
. -
Simplify convert.NewFileConvert
.- Do not set
report.Dependency.IID
. - Remove all code related to
DS_DEPENDENCY_PATH_MODE
. -
NOTE: We still need the dependency
graph
andindex
in order to addIntroduced by package
andShortest path
to the vulnerability details.
- Do not set
-
Update expected reports in qa/expect
directory.- Bump
.version
to match the JSON schema released in Remove the `dependency_files` property from the... (#439770 - closed). - Remove
.vulnerabilities[].location.dependency.iid
. - Remove
.dependency_files
.
- Bump
-
⚠ Release as v5, to be used in GitLab 17.x. Do not merge in master since this is not backward compatible.
-
Verification steps
It's all covered by unit tests and integration tests. These are updated as part of the implementation plan.
Edited by Igor Frenkel