Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: gitlab dependency scanner report format #5919 #5920

Merged
merged 6 commits into from
Nov 21, 2023
Merged

feat: gitlab dependency scanner report format #5919 #5920

merged 6 commits into from
Nov 21, 2023

Conversation

niklasfi
Copy link
Contributor

@niklasfi niklasfi commented Sep 3, 2023

Fixes Issue #5919

Description of Change

As described in #5919, I am working on adding a new report format to DependencyCheck that can be directly fed to GitLab to be used as a dependency scanner in ci/cd-pipelines.

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg bot added the core changes to core label Sep 3, 2023
@niklasfi niklasfi changed the title #5919 feat: gitlab dependency scanner report format feat: gitlab dependency scanner report format #5919 Sep 3, 2023
@niklasfi
Copy link
Contributor Author

niklasfi commented Sep 3, 2023
edited
Loading

Hi, I would gladly receive some feedback on my pull request.

  1. Are you interested in adding a GitLab report format to DependencyCheck?
  2. Do you agree the best way to implement it is by adding a template and a new report format?
  3. Do you have any pointers on (some of) the missing fields?
  4. Do you think it's still a good idea to merge this even if some fields of the target format are not available right now?
  5. Would you accept pull requests adding the additionally needed information to the template engine's context?
  6. Are additional tests needed? If so: what do you think is a good test template to start with? The other report formats probably have tests as well, right?

aikebah
aikebah reviewed Sep 4, 2023
View reviewed changes
Copy link
Collaborator

@aikebah aikebah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some preliminary feedback. Based on the various comments you already put in I think it needs some further investigation into resolving the various issues with the GitLab report format versus the information we currently have available to make it so mature that I would vote for inclusion.

Nevertheless I'm in favor of the initiative, and even if we can't reach to an acceptable level of support the efforts to try and achieve as much as reasonbly possible are useful for anyone wanting to embed DependencyCheck into GitLab dependency-scanning.

If not as a formally supported format people could always use a partially completed and syntactically working template as their own report format (using the VSL as a custom-format report - see #5824 (comment) for some details on that approach)

core/src/main/resources/templates/gitlabReport.vsl Outdated Show resolved Hide resolved
core/src/main/resources/templates/gitlabReport.vsl Outdated Show resolved Hide resolved
core/src/main/resources/templates/gitlabReport.vsl Show resolved Hide resolved
core/src/main/resources/templates/gitlabReport.vsl Outdated Show resolved Hide resolved
jeremylong
jeremylong requested changes Oct 8, 2023
View reviewed changes
Copy link
Owner

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see the comments from @aikebah.

@niklasfi
Copy link
Contributor Author

hi @jeremylong @aikebah sorry for taking so long to respond to your well thought out remarks on the pull request. I have implemented the changes as you suggested except for the dependency_files section. There I don't really know how to best proceed.

@jeremylong
Copy link
Owner

@niklasfi thanks! Supporting this format shows that we might be missing a field on the dependency object: source. Where the source would be something like: pom.xml, poetry.lock, path/to/some.jar. We could then add dependencies to the array grouped on source. I think this information would be useful for other reasons as well. I'll file an enhancement request.

@jeremylong jeremylong mentioned this pull request Oct 14, 2023
Open
@niklasfi
Copy link
Contributor Author

niklasfi commented Nov 9, 2023
edited
Loading

fyi we have set up a fork of this project on our private gitlab and are now using the generated SNAPSHOT builds in our piples. I can report it's working as is, with the known restrictions (source file is kind of a lie). In the process of setting this up, I found a couple more bugs. That is where the extra commits come from.

This is what it looks like on our internal gitlab now (for the ant subfolder of this repo).

image

@jeremylong jeremylong added this to the 9.0.0 milestone Nov 18, 2023
@jeremylong
Copy link
Owner

Sorry for the delays - I will include this in the 9.0.0 release.

@jeremylong jeremylong merged commit d3a6797 into jeremylong:main Nov 21, 2023
5 of 6 checks passed
This was referenced Nov 28, 2023
Closed
Merged
@marcelstoer marcelstoer mentioned this pull request Dec 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aikebah aikebah aikebah left review comments

@jeremylong jeremylong jeremylong approved these changes

Assignees
No one assigned
Labels
core changes to core
Projects
None yet
Milestone
9.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@niklasfi @jeremylong @aikebah