dependency-scanning job uses run (default) command to perform reachability analysis and enrich SBOMs
What does this MR do and why?
We've streamlined the dependency-scanning job by integrating static reachability analysis and SBOM enrichement (SCA-to-sarif-matcher) directly into the run command. This consolidation eliminates the need for both the separate reachability command and the SCA-to-sarif-matcher download. These improvements offer two key benefits:
- Support for offline users
- A simplified
dependency-scanningworkflow
DS analyzer and Template matching
The DS analyzer released by gitlab-org/security-products/analyzers/dependency-scanning!215 (merged) still supports the reachability command but is a NO-OP. That means that this DS analyzer and later versions will be able to play well with older versions of the latest DS template.
Testing
I tested this version of the template on my test project by:
- Importing a local version of the DS template. This template is the same as the one in this MR.
- Used the latest image from the DS MR.
- Had a successful job. SBOMs are correctly enriched.
| Test cases | Job | Status |
|---|---|---|
| Updated template (this MR change) | job | ok |
| Updated template (this MR change) - Static Reachability is off | job | ok |
| Current template version | MR --> job | ok |
Screenshots or screen recordings
Before
/analyzer run || exit $? # collapsed multi-line command
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ GitLab dependency-scanning analyzer v0.25.12
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ GitLab dependency-scanning analyzer v0.25.12
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ DS Semgrep module found 2 files to analyze
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ Created semgrep_target.json
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ Executing /usr/bin/semgrep-core -json -rules semgrep_rules.json -j 10 -targets semgrep_target.json -timeout 5 -timeout_threshold 3 -max_memory 0 -fast -json_nodots
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ Successfully run semgrep-core command
[INFO] [dependency-scanning] [2025-04-29T09:31:50Z] ▶ Created semgrep report: reachable_packages.json
Found reachable_packages.json
Downloading SCA-to-sarif-matcher v2.0.2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 167 100 167 0 0 4073 0 --:--:-- --:--:-- --:--:-- 4073
100 11.5M 100 11.5M 0 0 29.4M 0 --:--:-- --:--:-- --:--:-- 74.2M
9:31AM INF Successfully loaded 518105 modules from PyPi-metadata
9:31AM INF Enriched SBOM report at PythonA/gl-sbom-pypi-pipenv.cdx.json. From 6 components, 1 were in use
9:31AM INF Enriched SBOM report at PythonA/PythonC/gl-sbom-pypi-pipenv.cdx.json. From 23 components, 23 were in use
Uploading artifacts for successful jobAfter
$ /analyzer run
[INFO] [dependency-scanning] [2025-05-23T04:55:29Z] ▶ GitLab dependency-scanning analyzer v0.26.11
[INFO] [dependency-scanning] [2025-05-23T04:55:29Z] ▶ DS Semgrep module found 2 supported files to analyze
[INFO] [dependency-scanning] [2025-05-23T04:55:29Z] ▶ Created semgrep_target.json
[INFO] [dependency-scanning] [2025-05-23T04:55:29Z] ▶ Executing /usr/bin/semgrep-core -json -rules /tmp/semgrep-3695320410/semgrep_rules.json -j 10 -targets /tmp/semgrep-3695320410/semgrep_target.json -timeout 5 -timeout_threshold 3 -max_memory 0 -fast -json_nodots
[INFO] [dependency-scanning] [2025-05-23T04:55:29Z] ▶ Enriching SBOMs
[INFO] [dependency-scanning] [2025-05-23T04:55:48Z] ▶ Successfully loaded 527083 modules from PyPi-metadata
[INFO] [dependency-scanning] [2025-05-23T04:55:48Z] ▶ Enriched SBOM report at PythonA. From 6 components, 5 were in use
[INFO] [dependency-scanning] [2025-05-23T04:55:48Z] ▶ Enriched SBOM report at PythonA/PythonC. From 23 components, 23 were in useReferences
Static reachability offline support (#537163 - closed)
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.