Skip to content

Draft: Upload dependency graph exports as artifacts when Gemnasium fails

Fabien Catteau requested to merge 341215-upload-graph-export-when-gemnasium-fails into master

What does this MR do and why?

Make the dependency graph exports available as CI artifacts when a Gemnasium Dependency Scanning job fails:

  • When the gemnasium-maven-dependency_scanning job fails, upload the dependency graph exports generated by Gemnasium Maven Plugin, Gemnasium Gradle Plugin, or sbt-dependency-graph plugin.
  • When the gemnasium-python-dependency_scanning fails, upload the dependency graph exports generated by pipdeptree or pipenv graph.

This change makes it easier to debug failed Dependency Scanning jobs when Gemnasium fails to parse graph exports generated by external commands.

Further details

See export filenames used in the Gemnasium builders:

Testing

This has been tested using the same projects as the ones used for job integration tests. However, QA jobs can't be tested. See gitlab-org/security-products/tests/java-gradle-multimodules!30 (comment 710091732) for explanation.

Feature test: artefacts are uploaded when job fails.

Non-regression test: job passes, report is uploaded.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #341215

Edited by Fabien Catteau

Merge request reports