Use unique dependency file for each Omnibus path
What does this MR do?
When setting DEPSCAN_USE_OMNIBUS_PATHS
to true
, the dependency files
in the security report would reference the version manifest generated
by Omnibus. This would cause duplicates to be generated in the dependency
list for a project because dependencies referenced by vulnerabilities
are created when not found. In this case, they were never found because
the dependency paths didn't match the path of the dependency file e.g.
the path config/software/ruby.rb
would not match version-manifest.json
.
To ensure that a dependency file exists for reach vulnerability, we
now create a dependency file for each Omnibus path that has a vulnerability.
What are the relevant issue numbers?
gitlab-org/gitlab#382237 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer