Allow dependencies to be fetched from the database
What does this MR do and why?
Describe in detail what your merge request does and why.
Historically, DependenciesController
has served dependencies by
parsing JSON job artifacts. In
&8024 (closed), we laid the
foundational groundwork to persist representations of these artifacts to
the database so that they could be queried instead. This change adds the
initial implementation to have DependenciesController
return data from
the database instead.
If no SBoM reports are available, then we will fall back to the old behavior instead.
There is more work to be done before we can achieve 1:1 parity with the existing functionality. The following will be handled via follow-up MRs:
- Adding filtering
- Adding sorting
- Returning license data
- Returning vulnerability
- Doing the same for the Dependencies API
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
-
Create a new project from a template, use the NodeJS/Express template.
-
Create a
.gitlab-ci.yml
file with this configuration:include: - template: Security/Dependency-Scanning.gitlab-ci.yml
-
If a pipeline did not start automatically, trigger one manually by going to
CI/CD
->Pipelines
. -
Verify that the
gemnasium-dependency_scanning
job outputs agl-sbom-npm-npm.cdx.json
artifact. -
Go to
<instance_url>/group/project/-/dependencies.json
- This is the existing behavior -
Enable the feature flag using the rails console:
Feature.enable(:sbom_dependency_data)
-
Reload
dependencies.json
. The results should be the same, but vulnerabilities and licenses will be empty.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.