Remove Dependency Scanning report generation from the Container Scanning analyzer
Why are we doing this work
The Container Scanning analyzer currently generates a DS report for the sole purpose of providing a list of components that is compatible with what the Dependency list page in GitLab UI is expecting (see docs https://docs.gitlab.com/ee/user/application_security/container_scanning/#dependency-list). Starting with 17.0 the Dependency List will source its data from the cycloneDX SBOM report instead.
Note that this was only available in Trivy scanner and we've decided to drop Grype scanner implementation in 17.0 too.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
remove the CS_DISABLE_DEPENDENCY_LIST
env variable -
remove all relevant code pertaining to generating the Dependency Scanning report -
update specs -
update the Dependency list section in CS documentation accordingly
Forgotten initially:
-
Update CI templates to remove the artifacts:reports:dependency-scanning
declaration
Verification steps
Edited by Olivier Gonzalez