Store Dependency Scanning scan results into the database
Problem to solve
Data from Dependency Scanning reports should be in the database, and consumers should use that backend instead of the raw JSON report.
This is required in order to present Dependency Scanning results in a group-level Security Dashboard. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6709 and https://gitlab.com/gitlab-org/gitlab-ee/issues/6240
Also, it could be use to improve the performance of the existing Security Dashboard. See https://gitlab.com/gitlab-org/gitlab-ee/issues/6165
Further details
If consumers need to elaborate or aggregate data from many reports (e.g., group level features) it is not possible to use artifacts for that without heavily affecting performances.
Proposal
Save Dependency Scanning reports in the database when they are collected from the Runner. Make this information available to the frontend via backend calls.
For the first iteration, it will not replace the artifact access. We can decouple this change and update the frontend independently.
Implementation should follow what's been already done for SAST:
-
Add a new parser for DS. A lot can be DRY with the existing sast parser -
Enable that parser
This requires https://gitlab.com/gitlab-org/gitlab-ee/issues/5908 to be completed to have Dependency Scanning reports compatible with our DB model.