feat: gitlab dependency scanner report format #5919#5920
feat: gitlab dependency scanner report format #5919#5920jeremylong merged 6 commits intodependency-check:mainfrom
Conversation
niklasfi
changed the title
|
Hi, I would gladly receive some feedback on my pull request.
|
aikebah
left a comment
aikebah
left a comment
There was a problem hiding this comment.
Some preliminary feedback. Based on the various comments you already put in I think it needs some further investigation into resolving the various issues with the GitLab report format versus the information we currently have available to make it so mature that I would vote for inclusion.
Nevertheless I'm in favor of the initiative, and even if we can't reach to an acceptable level of support the efforts to try and achieve as much as reasonbly possible are useful for anyone wanting to embed DependencyCheck into GitLab dependency-scanning.
If not as a formally supported format people could always use a partially completed and syntactically working template as their own report format (using the VSL as a custom-format report - see jeremylong/DependencyCheck#5824 (comment) for some details on that approach)
jeremylong
left a comment
jeremylong
left a comment
There was a problem hiding this comment.
Please see the comments from @aikebah.
niklasfi
force-pushed
the
gitlab-dependency-scan
branch
from
374b003 to
e71d434
Compare
|
hi @jeremylong @aikebah sorry for taking so long to respond to your well thought out remarks on the pull request. I have implemented the changes as you suggested except for the |
niklasfi
force-pushed
the
gitlab-dependency-scan
branch
from
4566340 to
9856592
Compare
|
@niklasfi thanks! Supporting this format shows that we might be missing a field on the dependency object: |
niklasfi
force-pushed
the
gitlab-dependency-scan
branch
from
8c7ec11 to
74be57c
Compare
|
fyi we have set up a fork of this project on our private gitlab and are now using the generated SNAPSHOT builds in our piples. I can report it's working as is, with the known restrictions (source file is kind of a lie). In the process of setting this up, I found a couple more bugs. That is where the extra commits come from. This is what it looks like on our internal gitlab now (for the ant subfolder of this repo). |
niklasfi
force-pushed
the
gitlab-dependency-scan
branch
from
74be57c to
29033c0
Compare
|
Sorry for the delays - I will include this in the 9.0.0 release. |
add report format "GitLab", which conforms to [1] and can be consumed by gitlab to generate SAST vulnerability reports [2]., [1] https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/raw/v15.0.6/dist/dependency-scanning-report-format.json?ref_type=tags [2] https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format
jeremylong
force-pushed
the
gitlab-dependency-scan
branch
from
29033c0 to
5d6a6fd
Compare
3 participants
Fixes Issue #5919
Description of Change
As described in #5919, I am working on adding a new report format to DependencyCheck that can be directly fed to GitLab to be used as a dependency scanner in ci/cd-pipelines.
Have test cases been added to cover the new functionality?
no