Refactor dependency scanning component tests to reference remotes fixtures

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

Sometimes, the dependency scanning analyzer changes the contents of the CycloneDX report. For example, the analyzer may do, and has done, the following:

• Enriched PURLs with qualifiers
• Normalized component names to adhere to the ecosystem expectations
• Fixed dependency graph construction
• Fixed component parsing filters
• Other small changes

Unfortunately, the dependency scanning component does not trigger a new pipeline when something merges. This means that any differences in the component's saved expectations will cause the pipeline to fail when a contributor works on the project. The analyzer should act as the SSoT for fixtures and expectations, and the component should reference these to avoid a "moving target" situation.

Improvements

• Fixtures and expectations are kept in sync
• Pipelines trigger whenever a new change is merged into the default branch
  • The component currently has a pipeline subscription, but this is deprecated and should be removed
• Continuously tested component with latest analyzer changes means we lessen the risk that a change is incompatible with the component.

Risks

n/a

Involved components

• CI/CD component: the .gitlab-ci.yml file should be updated.

Optional: Missing test coverage

• The fixtures that are in the analyzer, but are not present on the component should be tested as well.