Archived projects appear in the group dependency list
Summary
Dependencies found within projects that are archived are included in the group dependency list. This adds unnecessary results as the projects are presumably no longer maintained.
This can also lead to unnecessary unknown
findings. If a dependency scanning job detects a package that we do not currently associate with a license, it will be classified as unknown
. If that license is then added to the database, the relevant dependency listing will not be updated until a subsequent scan is run, which is not applicable to archived projects.
Steps to reproduce
- Run a dependency scan on a project within a group.
- Archive the project.
- View the group level dependency scan.
- Observe archived project's dependencies in the group level dependency list.
What is the current bug behavior?
Dependency listings for archived projects appear in the group level dependency list.
What is the expected correct behavior?
Dependency listings for archived projects do not appear in the group level dependency list.
Output of checks
This bug happens on GitLab.com
Possible fixes
Verification steps
- Go to https://gitlab.com/groups/gitlab-org/govern/threat-insights-demos/verification-projects/verify-408846-group/-/dependencies
- Filter by
project = Archived Project
- Notice that dependencies appear in the list
- Go to https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/verify-408846-group/archived-project/edit and archive the project
- Repeat steps 1 and 2
- Dependencies from
Archived Project
should no longer appear in the list
Edited by Brian Williams