Add support for dependency scan using Trivy analyzer
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
What does this MR do?
This merge request add support for dependency scan using Trivy analyzer. It leverage trivy library scanning and report templating capabilities to allow the dependency scanning of languages currently not natively supported by GitLab but supported by Trivy. Namely it enable support of the following languages / files without requiring integration of a new analyzer:
| Language | Supported Files | New Language Support |
|---|---|---|
| PHP | installed.json |
No |
| NodeJs | package.json |
No |
| .NET |
packages.config .deps.json *Packages.props
|
No |
| Java |
*gradle.lockfile *.sbt.lock
|
No |
| RUST | Cargo.lock |
Yes |
| Elixir | mix.lock |
Yes |
| Dart | pubspec.lock |
Yes |
| Swift | Podfile.lock |
No |
| Julia | Manifest.toml |
Yes |
In details, the MR adds a template file lib/template/sca-trivy.tpl which enable the generation of a GitLab dependency scanning compliant report from a Trivy fs scan. Then two integration tests jobs have been create to test the generation of the report (trivy-sca-scan) and to validate that the generated report have the right format (trivy-sca-scan-validate-report).
Upon approval of this merge request another merge request will be made to the security template project to enable the dependency scanning of the mentioned languages / files.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer