Engineering Discovery: mutualize Dependency Scanning and License Compliance
Problem to solve
Dependency Scanning (DS) and License Scanning (LS) both build a dependency list. The former uses that list to perform a security scan, whereas the latter uses a similar list to track the licenses. By connecting LS to DS or merging the two project, we would reduce maintenance cost, and possibly reduce the time it takes to run the pipeline.
Intended users
This would directly benefit to the groupcomposition analysis team by reducing maintenance cost.
This could potentially benefit users by making possible to support new languages or package managers, and by making the scans faster overall.
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Further details
Dependency Scanning is composed of different analyzer projects, including Gemnasium-based analyzers. gemnasium and its variants generate a dependency list, but it is different from one generated by the License Management project/job.
Proposal
Make the License Management/Scanning process the dependency list generated by Dependency Scanning.
Challenges:
- Currently License Management project supports more package managers than Dependency Scanning, all analyzers combined.
- Currently the
license_management
job and the Dependency Scanning jobs are in the same pipeline stage, so it cannot reuse what's been generated by DS.
Permissions and Security
No change.
Documentation
No change.
Testing
Using existing QA jobs & test projects.
What does success look like, and how can we measure that?
- faster scans
- larger number of supported projects
- reduced time to support a new language in License Scanning