BE: Extend container-scanning analyzer with OS packages dependency list generation

Why are we doing this work

The first iteration of OS dependency report for Container Scanning relies on running the scanner twice: one for the vulnerabilities (reported in gl-container-scanning.json) and one for the dependencies (reported in gl-dependency-scanning.json).

Whenever possible, we'd like to run the scanner only once, and then report the findings/dependencies accordingly.

Relevant links

• Epic

Non-functional requirements

To address that need we need to update analyzer to generate additional report for that and CI/CD template for Container Scanning to support that.

For Trivy, we can use --list-all-pkgs flag to generate dependency-scanning report that we can use in Security & Compliance -> Dependency List.

• Documentation: add documentation to Container Scanning section that the analyzer is performing Dependency Scanning scan by default and add information about ability to disable it,
• Feature flag: no feature flag, but we could consider adding a separate variable to the analyzer to be able to disable the Dependency List generation
• [-] Performance:
• [-] Testing:

Implementation plan

• backend citemplates modify Security/Container-Scanning template to accept additional artifact for dependency-scanning report,
• backend extend analyzer with additional ability to perform scan to get a list of all packages installed in the container and generate report based on the schema,

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.