Ingest dependency graph and show dependency path
Why are we doing this work
As discussed in this thread, dependency_files will be removed from the security reports and there is a need of an equivalent feature from cyclonedx reports (i.e., dependency-graph).
Relevant links
Implementation plan
-
database Create a new jsonbcolumn insbom_occurrencesin order to storeancestorsin the following format:[{name: 'name', version: '0.0.0'}]. -
backend Update ancestors to be based on the persisted information. -
backend Update occurrence_map and/or occurrence_map_collection in order to process (based on dependsOn) occurrences into a hash containing for fast lookup of shortest paths. See this comment for more details. -
backend Update ingestion to ingest ancestors.
open question: Should we also store this information on sbom_sources ?
Report examples:
| Dependency scanning | CycloneDx |
|---|---|
| gl-dependency-scanning-report.json | gl-sbom-trivy-report.cdx.json |
Example of the existing feature:
Verification steps
- FF has been enabled to this project.
- Go the project level dependency list page.
- Check that there are ancestors being displayed (including popup dialog).
Edited by Zamir Martins