Change data source for project level dependencies (!139686) · Merge requests · GitLab.org / GitLab

Zamir Martins requested to merge change_data_source_for_project_dependencies into master Dec 13, 2023

What does this MR do and why?

Change data source for project level dependencies. This is the initial backend changes and there will be a follow-up MR with the frontend related ones.

EE: true Changelog: added

Related issue: #393061 (closed)

Responses

Project level -- FF disabled

{
    "report": {
        "status": "ok",
        "job_path": "/top-group/project-4/builds/452",
        "generated_at": "2023-12-13T09:55:24.554Z"
    },
    "dependencies": [
        {
            "name": "puma",
            "packager": "Ruby (Bundler)",
            "version": "5.6.5",
            "location": {
                "blob_path": "/top-group/project-4/-/blob/ddb344b26a590369e1a8cb223d25e447c3d3ec9f/Gemfile.lock",
                "path": "Gemfile.lock",
                "top_level": null,
                "ancestors": null
            },
            "vulnerabilities": [
                {
                    "name": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
                    "severity": "critical",
                    "id": 1196,
                    "url": "http://gdk.test:3000/top-group/project-4/-/security/vulnerabilities/1196"
                }
            ],
            "licenses": [
                {
                    "name": "unknown",
                    "url": null
                }
            ]
        }
    ]
}

Group level -- FF disabled

{
    "report": {
        "status": "ok"
    },
    "dependencies": [
        {
            "name": "actionpack",
            "packager": "bundler",
            "version": "6.1.7.2",
            "location": {
                "blob_path": "/top-group/project-4/-/blob/ddb344b26a590369e1a8cb223d25e447c3d3ec9f/Gemfile.lock",
                "path": "Gemfile.lock",
                "top_level": false,
                "ancestors": null
            },
            "licenses": [
                {
                    "spdx_identifier": "MIT",
                    "name": "MIT",
                    "url": "https://spdx.org/licenses/MIT.html"
                }
            ],
            "occurrence_count": 2,
            "project": {
                "full_path": "top-group/project-4",
                "name": "project-4"
            },
            "project_count": 2,
            "component_id": 7,
            "occurrence_id": 59270,
            "vulnerability_count": 1
        }
    ]
}

Project level -- FF enabled

{
    "report": {
        "status": "ok",
        "job_path": "/top-group/project-4/builds/452",
        "generated_at": "2023-12-13T09:55:24.554Z"
    },
    "dependencies": [
        {
            "name": "rugged",
            "packager": "bundler",
            "version": "1.5.1",
            "location": {
                "blob_path": "/top-group/project-4/-/blob/ddb344b26a590369e1a8cb223d25e447c3d3ec9f/Gemfile.lock",
                "path": "Gemfile.lock",
                "top_level": false,
                "ancestors": null
            },
            "licenses": [
                {
                    "spdx_identifier": "unknown",
                    "name": "unknown",
                    "url": null
                }
            ],
            "occurrence_id": 59758,
            "vulnerability_count": 1
        }
    ]
}

Group level -- FF enabled

{
    "report": {
        "status": "ok"
    },
    "dependencies": [
        {
            "name": "puma",
            "packager": "bundler",
            "version": "5.6.5",
            "location": {
                "blob_path": "/top-group/project-4/-/blob/ddb344b26a590369e1a8cb223d25e447c3d3ec9f/Gemfile.lock",
                "path": "Gemfile.lock",
                "top_level": false,
                "ancestors": null
            },
            "licenses": [
                {
                    "spdx_identifier": "unknown",
                    "name": "unknown",
                    "url": null
                }
            ],
            "occurrence_count": 2,
            "project": {
                "full_path": "top-group/project-4",
                "name": "project-4"
            },
            "project_count": 2,
            "component_id": 414,
            "occurrence_id": 59676,
            "vulnerability_count": 1
        }
    ]
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 15, 2023 by Zamir Martins

Change data source for project level dependencies