I have a Java/Mulesoft project which contains 6 separate components each having its own pom.xml file. Each component is independent of the other and is deployed separately to Cloudhub if changes need to be made. So at times, multiple components may need to be scanned.
Project structure
Parent Project
|— Component A
| |------- src
| |------- pom.xml
|— Component B
| |------- src
| |------- pom.xml
|— Component C
| |------- src
| |------- pom.xml
|— .gitlab-ci.yaml
The issue I am facing is with dependency scanning functionality, which only scans the first project and creates a report while other poms are ignored. I don’t want to build an aggregator pom file as the components are individual. Is there any other way to scan all the individual pom files and create a report? The ideal scenario would be to scan only the components which got changed but I can still live with it if it scans everything.
Also, another issue is that the reports are not showing up in the security dashboard even when the cyclonedx file is present in the job as an artifact.
Configuration
Add the security feature configuration and template including modifications/variables.
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
Versions
Please check whether options apply, and add the version information.
- Self-managed
-
GitLab.com SaaS
- Dedicated
- Self-hosted Runners
Versions
- GitLab (Web:
/help
or self-managed system informationsudo gitlab-rake gitlab:env:info
): - GitLab Runner, if self-hosted (Web
/admin/runners
or CLIgitlab-runner --version
):
Helpful resources
- Check the FAQ for helpful documentation, issues/bugs/feature proposals, and troubleshooting tips.
- Before opening a new topic, make sure to search for keywords in the forum search
- Check the GitLab and GitLab Runner projects for existing issues. If you encounter a bug, please create a bug report issue.
- Review existing troubleshooting docs.
Thanks for taking the time to be thorough in your request, it really helps!