Removal of gl-dependency-scanning-report.json as an artifact in the Jobs/Container-Scanning.gitlab-ci.yml template

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

The Depdendency Scanning report in Container Scanning job was used to provide the list of components for the dependency list ( via the dependency_files property). We've moved all that data source to the SBOM in 17.0 so we no longer needed that report in the Container Scanning job.

The Container Scanning job also no longer produces a Dependency Scanning report to provide the list of Operating System components as this is replaced with the CycloneDX SBOM report.

References:

• Docs: dependency_files is deprecated
• Issue: Remove Dependency Scanning report generation from the Container Scanning analyzer

Currently, in a Container Scanning job during artifacts upload, the following message appears in the job log since the template still has gl-dependency-scanning-report.json in artifacts:paths:

WARNING: gl-dependency-scanning-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/group-name/project-name) 

The issue proposes removal of this file from artifacts:paths in the container scanning template and evaluate any impact this change might have.