Dependency Scanning for pnpm projects (Gemnasium)
Note to wider-community, sales, support and customer success
As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Release notes
Draft: GitLab Dependency Scanning now supports pnpm projects.
Problem to solve
Support pnpm
projects in Dependency Scanning (Gemnasium).
Intended users
User experience goal
Proposal
Similar to npm and yarn, pnpm has lock files named pnpm-lock.yaml
. These could be directly processed by Gemnasium.
Further details
Permissions and Security
Documentation
To be documented in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers
Availability & Testing
- Write unit tests for the new pnpm lock file parser.
- Add image spec to Gemnasium, to check that the image creates the expected report when scanning a pnpm project.
- Add spec for the CI template, to check that the scanning job is triggered when there's a pnpm lock file.
A job integration test doesn't seem necessary.
Available Tier
Feature Usage Metrics
What does success look like, and how can we measure that?
pnpm projects are scanned by Gemnasium. Vulnerabilities are reported in the vulnerability report page. Dependencies are listed in the Dependency List.
What is the type of buyer?
Is this a cross-stage feature?
No
Links / references
Implementation plan
-
Update Gemnasium. -
Add support for PNPM (gitlab-org/security-products/analyzers/gemnasium!455 - merged) - Add parser for pnpm lock file, and unit tests.
- Update finder to detect pnpm project. Update tests.
- Enable pnpm file parser in
main.go
. - Add image spec for pnpm projects.
-
-
Update documentation. -
Add PNPM support (!117427 - merged) - Add pnpm to supported languages.
-
-
Update CI template and its specs. -
Add PNPM support (!117427 - merged) - Trigger Gemnasium job when there's a pnpm lock file.
-
-
@smeadzinger - Announce in release post