Ingest dependency graph and show dependency path
Why are we doing this work
As discussed in this thread, dependency_files
will be removed from the security reports and there is a need of an equivalent feature from cyclonedx reports (i.e., dependency-graph).
Relevant links
Implementation plan
-
database Create a new jsonb
column insbom_occurrences
in order to storeancestors
in the following format:[{name: 'name', version: '0.0.0'}]
. -
backend Update ancestors to be based on the persisted information. -
backend Update occurrence_map and/or occurrence_map_collection in order to process (based on dependsOn
) occurrences into a hash containing for fast lookup of shortest paths. See this comment for more details. -
backend Update ingestion to ingest ancestors
.
open question: Should we also store this information on sbom_sources ?
Report examples:
Dependency scanning | CycloneDx |
---|---|
gl-dependency-scanning-report.json | gl-sbom-trivy-report.cdx.json |
Example of the existing feature:
Verification steps
- FF has been enabled to this project.
- Go the project level dependency list page.
- Check that there are ancestors being displayed (including popup dialog).
Edited by Zamir Martins