Is your feature request related to a problem? Please describe.
It is good practice to have a dependency scanner as part of a ci/cd pipeline. GitLab even has a handy vulnerability overview in merge requests, if you do so. Unfortunately, the dependency scanner supported by GitLab [1] is very much lacking in Java version support. In general, only LTS versions are supported, and even they only arrive half a year after the Java release. Right now, I only have two choices: use the current Java version or have a properly working dependency scanner in my pipeline.
Describe the solution you'd like
GitLab's vulnerability feature is not restricted to using GitLab's scanner. It's possible to provide your own scanner [2]. My proposal to solve the dilemma above is to add a new report format conforming to GitLab's report schema [3].
Describe alternatives you've considered
I have previously implemented a "translator" from DependencyCheck into GitLab's format that ran after DependencyCheck and generated an output file in the desired format. This however feels clunky, when the power of velocities templating language is already at our hands when generating the report file.
Additional context
I have implemented an initial version but I'm missing some additional fields. I will shortly add a pull request to this issue for that.
References
[1] gemnasium, which I think uses DependencyCheck inside
[2] documentation: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format
[3] schema definition: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.6/dist/dependency-scanning-report-format.json?ref_type=tags
Is your feature request related to a problem? Please describe.
It is good practice to have a dependency scanner as part of a ci/cd pipeline. GitLab even has a handy vulnerability overview in merge requests, if you do so. Unfortunately, the dependency scanner supported by GitLab [1] is very much lacking in Java version support. In general, only LTS versions are supported, and even they only arrive half a year after the Java release. Right now, I only have two choices: use the current Java version or have a properly working dependency scanner in my pipeline.
Describe the solution you'd like
GitLab's vulnerability feature is not restricted to using GitLab's scanner. It's possible to provide your own scanner [2]. My proposal to solve the dilemma above is to add a new report format conforming to GitLab's report schema [3].
Describe alternatives you've considered
I have previously implemented a "translator" from DependencyCheck into GitLab's format that ran after DependencyCheck and generated an output file in the desired format. This however feels clunky, when the power of velocities templating language is already at our hands when generating the report file.
Additional context
I have implemented an initial version but I'm missing some additional fields. I will shortly add a pull request to this issue for that.
References
[1] gemnasium, which I think uses DependencyCheck inside
[2] documentation: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format
[3] schema definition: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.6/dist/dependency-scanning-report-format.json?ref_type=tags