Update dependency scanning tutorial, including adding static reachability
-
Start this issue's title with Docs:orDocs feedback:.
Problem to solve
We added a static reachability analysis (SRA) feature to dependency scanning. This aims to identify which of the vulnerable dependencies are imported ("reachable") by the application.
SRA is at limited availability status but it's planned to progress to GA soon. This seems a good opportunity to both review the dependency scanning tutorial and add static reachability analysis.
The recommended method of dependency scanning is now different to what is explained in the tutorial. We now recommend use of dependency scanning by SBOM.
Dependency scanning tutorial:
Further details
The dependency tutorial uses GitPod (now renamed Ona), a cloud development environment created by a partner. Perhaps it would be best to avoid using GitPod/Ona and instead have the user do all tasks locally?
A tutorial is a specific type of docs content, with a defined structure. For details, see https://docs.gitlab.com/development/documentation/topic_types/tutorial/. If you’d like to see some example, all the application security testing tutorials are at https://docs.gitlab.com/tutorials/secure_application/.
Some tips/suggestions:
- Keep the scope of the tutorial as narrow and simple as possible. “In this tutorial you’ll learn how to ABC.” Focus only on describing how to do ABC. Don’t add any extra information or details.
- Tutorials use a slightly less formal tone than the “regular” docs.
- If it’s possible and reasonable, have the user start from an empty project. Though in some circumstances it might be necessary to clone an example project. That works well until the project is no longer maintained.
Proposal
I'm proposing that we update the dependency scanning tutorial and add SRA. However, that is not a requirement. If it would be easier or more effective to instead create a tutorial that covers only SRA then we should either close this issue and instead create a new one for that tutorial or change the description of this issue.
Who can address the issue
Anyone with sufficient knowledge of dependency scanning and SRA.