Skip to content

Draft: POC - Reproduce base functionality of Repository X-Ray in monolith

Leaminn Ma requested to merge dependency-config-file-parser-base into master

What does this MR do and why?

UPDATE: This MR now serves as a POC. This allows the implementation to be broken up into smaller MRs for official review.

Context:

In #474306 (comment 2025085630), we decided to migrate the Repository X-Ray functionality into the GitLab Rails monolith. This will eventually allow us to run the service outside of the CI pipeline.

This MR is the first step in this migration progress. It introduces a new LockFileParser class that finds and parses static dependency lock files in a given repository. It also introduces the LockFiles::Base class where the intention is for each lock file type to be represented by a child class.

Implementation notes:

  • LockFileParser is currently a library class. It will eventually be utilized in a service class that reads the payloads from the lock file objects and then stores them into the xray_reports table, similar to what we do in Ai::StoreRepositoryXrayService.
  • The payload output follows the same schema that Repository X-Ray uses.
  • It currently only has the ability to parse Gemfile.lock. The next iterations will involve porting over all the languages currently supported in Repository X-Ray.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #476177 (closed)

Edited by Leaminn Ma

Merge request reports