Dependency Scanning for projects using sbt package manager

Problem to solve

Dependency scanning does not currently support sbt affecting users relying on this tool. We should fix this.

Further details

Proposal

Add a new analyzer type for scanning sbt projects.

Implementation plan

1. Validate sbt-dependency-graph plugin for dependency scanning use case
2. Update gemnasium-maven to leverage above plugin and generate a report in the common format
3. [-] Update gemnasium/semver for parsing ivy revisions added by sbt
4. Update gemnasium to parse the new dependency report generated
5. Add vulnerable project to test projects
6. [-] Update gemnasium-maven  dependency in Dependency Scanning orchestrator (Docker-in-Docker mode)
7. Switch gemnasium-maven to a tagged version of gemnasium after merging gitlab-org/security-products/analyzers/gemnasium!54 (merged)

Documentation

• Update supported languages
• Add any options required by this new analyzer

Testing

Create qa stage for this analyzer running against test project (added in implementation plan)

What does success look like, and how can we measure that?

Ability to generate a dependency scanning report for projects that are built with sbt.

Links / references

Product

• release post