Report dependency paths for Maven

Proposal

Update the analyzer to parse the output of the dependency graph generated by Maven. You can generate a graph by running mvn dependency:tree -D outputType=json -D outputFile=maven.graph.json. The analyzer will find maven.lock, and parse it as this form of dependency graph.

Implementation plan

1. Add maven.graph.json to the package manager known files
2. Create the scanner/parser/maven/ directory and add a maven.go and maven_test.go set of files.
3. Add a parser function that can parse the graph export and test that it parses valid graph exports, and errors on invalid graph exports.
4. Add an e2e test for the graph export parsing and ensure that it produces a valid CDX report.
5. Document in README.md and test fixture directory on how to reproduce the graph export for future reference.

Documentation

Dependency Path support for this particular package manager should be documented in Dependency Scanning documentation.

What does success look like, and how can we measure that?

The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.

What is the type of buyer?

GitLab Ultimate

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.