Remove Dependency Scanning report generation from the Container Scanning analyzer

Why are we doing this work

The Container Scanning analyzer currently generates a DS report for the sole purpose of providing a list of components that is compatible with what the Dependency list page in GitLab UI is expecting (see docs https://docs.gitlab.com/ee/user/application_security/container_scanning/#dependency-list). Starting with 17.0 the Dependency List will source its data from the cycloneDX SBOM report instead.

Note that this was only available in Trivy scanner and we've decided to drop Grype scanner implementation in 17.0 too.

Relevant links

#396376 (closed)

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

remove the CS_DISABLE_DEPENDENCY_LIST env variable
remove all relevant code pertaining to generating the Dependency Scanning report
update specs
update the Dependency list section in CS documentation accordingly

Forgotten initially:

Update CI templates to remove the artifacts:reports:dependency-scanning declaration
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.gitlab-ci.yml
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Container-Scanning.latest.gitlab-ci.yml

Verification steps

Edited Apr 26, 2024 by Olivier Gonzalez