Use distinct attributes for dependency scanning fingerprint (!97544) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Describe in detail what your merge request does and why.

The initial implementation of the fingerprinting for the dependency scanning source took a digest of the entire source data as json. This has some issues which are outlined in #369915 (closed).

This MR changes the fingerprinting so that it instead takes a digest of the attributes which a source can be considered distinct by.

For example, suppose that we have two components: activesupport v6.1.6.1 and activesupport v6.1.6.0. If both of these have the source fingerprint digest('projection:Gemfile.lock'), then both of these components can be said to originate from the same source.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 09, 2022 by Brian Williams

Use distinct attributes for dependency scanning fingerprint

What does this MR do and why?

MR acceptance checklist

Merge request reports