Port SAST orchestration engine to Dependency Scanning
#5232 (closed) introduced a new orchestrator, letting the users provide their own Docker images. As most of the work is common between SAST and Dependency Scanning, we can share a large portion of the code. The differences between the 2 final executables:
- List of images
- Schema of reported issues is not the same (to be confirmed)
TODO
-
Extract generic code from SAST. Move it to a sub-directory within the same project. -
Move this generic code to the common lib. Tag a new version of common and make SAST depend on it. -
Rewrite Dependency Scanning using the common lib. Test resulting code with a simple/dummy analyzer/plugin. -
Port existing plugins and turn them into new projects in the analyzers sub-group: -
retire
-
bundle-audit
-
gemnasium
-
gemnasium-python
-
gemnasium-maven
npm-audit
-
-
Perform full E2E integration tests using test projects -
Update Release Process -
Update GitLab documentation(not needed)
Edited by Fabien Catteau