Skip to content

Use unique dependency file for each Omnibus path

Oscar Tovar requested to merge fix-duplicates-omnibus-dependencies into master

What does this MR do?

When setting DEPSCAN_USE_OMNIBUS_PATHS to true, the dependency files in the security report would reference the version manifest generated by Omnibus. This would cause duplicates to be generated in the dependency list for a project because dependencies referenced by vulnerabilities are created when not found. In this case, they were never found because the dependency paths didn't match the path of the dependency file e.g. the path config/software/ruby.rb would not match version-manifest.json. To ensure that a dependency file exists for reach vulnerability, we now create a dependency file for each Omnibus path that has a vulnerability.

What are the relevant issue numbers?

gitlab-org/gitlab#382237 (closed)

Does this MR meet the acceptance criteria?

Merge request reports

Loading