Android support for Dependency Scanning
### Release notes ### Problem to solve GitLab Dependency Scanning supports Java Gradle projects but Android projects aren't supported because: - The Android SDK isn't installed in the gemnasium-maven image used for the scan. - There's no documentation on how to set up Dependency Scanning for Android projects. - The possible workaround is coupled to implementation details of gemnasium-maven. ### Intended users * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) ### User experience goal A [CI/CD template](https://docs.gitlab.com/ee/development/cicd/templates.html) is available. The user includes the template in their CI configuration, fills-out any required inputs (if any). When a CI pipeline runs, the template includes the job(s) necessary to generate a [CDX SBOM](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#cyclonedx-software-bill-of-materials) which is then ingested by GitLab. The identified components display in the existing user interfaces. [Continuous vulnerability scanning](https://docs.gitlab.com/ee/user/application_security/continuous_vulnerability_scanning/) is performed on said components. ### Proposal The CI/CD template uses an upstream tool to generate the SBOM. We may need to enrich the generated report with properties from the [GitLab CycloneDX taxonomy](https://docs.gitlab.com/ee/development/sec/cyclonedx_property_taxonomy.html) before it can be used in GitLab features. ### Further details - Previous proposal based on CI templates: https://gitlab.com/gitlab-org/gitlab/-/issues/336866#proposal. ### Permissions and Security No change ### Documentation To be documented in [Supported languages and package managers](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#supported-languages-and-package-managers) ### Availability & Testing ### Available Tier ~"GitLab Ultimate" ### What does success look like, and how can we measure that? ### What is the type of buyer? ### Is this a cross-stage feature? No ### Links / references /cc @johncrowley
epic