Draft: Upload dependency graph exports as artifacts when Gemnasium fails
What does this MR do and why?
Make the dependency graph exports available as CI artifacts when a Gemnasium Dependency Scanning job fails:
- When the
gemnasium-maven-dependency_scanningjob fails, upload the dependency graph exports generated by Gemnasium Maven Plugin, Gemnasium Gradle Plugin, or sbt-dependency-graph plugin. - When the
gemnasium-python-dependency_scanningfails, upload the dependency graph exports generated bypipdeptreeorpipenv graph.
This change makes it easier to debug failed Dependency Scanning jobs when Gemnasium fails to parse graph exports generated by external commands.
Further details
See export filenames used in the Gemnasium builders:
- gemnasium-maven
- gemnasium-python
Testing
This has been tested using the same projects as the ones used for job integration tests. However, QA jobs can't be tested. See gitlab-org/security-products/tests/java-gradle-multimodules!30 (comment 710091732) for explanation.
Feature test: artefacts are uploaded when job fails.
- gemansium-maven
- gemnasium-python
- pip
Non-regression test: job passes, report is uploaded.
- gemansium-maven
- gemnasium-python
- pip
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #341215