Update DS template to v2 and enable Static Reachability
What does this MR do and why?
This MR migrates dependency-scanning template from latest to the new v2 template.
This is done in order to dogfood our own new solutions. Currently the v2 template offers the latest DS analyzer version and exposes the gl-dependency-scanning-report.json as an artifact unlike to the latest template.
In this MR we also enable Static Reachability in order to enable smarter vulnerabilities prioritisation.
References
Rollout new analyzer and v2 template to gitlab-... (#554871)
Before
Pipeline in master branch
.
├── gems
│ ├── activerecord-gitlab
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── bundler-checksum
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── csv_builder
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-active-context
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-backup-cli
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-database-load_balancing
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-database-lock_retries
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-grape-openapi
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-housekeeper
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-http
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-rspec
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-rspec_flaky
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-safe_request_store
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-schema-validation
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-utils
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── ipynbdiff
│ │ └── gl-sbom-gem-bundler.cdx.json
│ └── mail-smtp_pool
│ └── gl-sbom-gem-bundler.cdx.json
├── gl-sbom-gem-bundler.cdx.json
├── gl-sbom-npm-yarn.cdx.json
├── gl-sbom-pypi-pipenv.cdx.json
├── qa
│ └── gl-sbom-gem-bundler.cdx.json
├── rubocop
│ └── docs-hugo
│ └── gl-sbom-go-go.cdx.json
└── workhorse
└── gl-sbom-go-go.cdx.jsonOn the root dir we have:
After
In order to trigger the dependency-scanning job to get triggered a chery-picked a commit from a maintenancedependency bump. More specifically Update dependency gitaly to '~> 18.5.1' (!208185). (Edit: This change was reverted since it was used only for testing).
If we compare the dir trees the main difference is that after has a gl-dependency-scanning-report.json which is expected.
.
├── gems
│ ├── activerecord-gitlab
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── bundler-checksum
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── csv_builder
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-active-context
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-backup-cli
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-database-load_balancing
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-database-lock_retries
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-grape-openapi
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-housekeeper
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-http
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-rspec
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-rspec_flaky
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-safe_request_store
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-schema-validation
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── gitlab-utils
│ │ └── gl-sbom-gem-bundler.cdx.json
│ ├── ipynbdiff
│ │ └── gl-sbom-gem-bundler.cdx.json
│ └── mail-smtp_pool
│ └── gl-sbom-gem-bundler.cdx.json
├── gl-dependency-scanning-report.json
├── gl-sbom-gem-bundler.cdx.json
├── gl-sbom-npm-yarn.cdx.json
├── gl-sbom-pypi-pipenv.cdx.json
├── qa
│ └── gl-sbom-gem-bundler.cdx.json
├── rubocop
│ └── docs-hugo
│ └── gl-sbom-go-go.cdx.json
└── workhorse
└── gl-sbom-go-go.cdx.json
22 directories, 24 filesA deeper comparison shows that all data are identical except the SBOM ids, timestamp, analyzer versions and the cherry-picked gitaly package bump
git diff -r before after
diff --color -r before/gems/activerecord-gitlab/gl-sbom-gem-bundler.cdx.json after/gems/activerecord-gitlab/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:4b94aab6-e796-450f-aafd-1f676485ca11",
---
> "serialNumber": "urn:uuid:04f8831a-20fd-4d9c-a5b8-d8774b31851c",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:4b94aab6-e796-450f-aafd-1f676485ca11"
---
> "bom-ref": "urn:uuid:04f8831a-20fd-4d9c-a5b8-d8774b31851c"
529c529
< "ref": "urn:uuid:4b94aab6-e796-450f-aafd-1f676485ca11",
---
> "ref": "urn:uuid:04f8831a-20fd-4d9c-a5b8-d8774b31851c",
diff --color -r before/gems/bundler-checksum/gl-sbom-gem-bundler.cdx.json after/gems/bundler-checksum/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:a22011c6-dba2-4a4d-b50d-1843c495e4e5",
---
> "serialNumber": "urn:uuid:91a6517f-5437-4fff-81e3-7d1ee395bce4",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:a22011c6-dba2-4a4d-b50d-1843c495e4e5"
---
> "bom-ref": "urn:uuid:91a6517f-5437-4fff-81e3-7d1ee395bce4"
60c60
< "ref": "urn:uuid:a22011c6-dba2-4a4d-b50d-1843c495e4e5",
---
> "ref": "urn:uuid:91a6517f-5437-4fff-81e3-7d1ee395bce4",
diff --color -r before/gems/csv_builder/gl-sbom-gem-bundler.cdx.json after/gems/csv_builder/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:32ca7685-c545-43d0-88df-78fccfbeee38",
---
> "serialNumber": "urn:uuid:56c0620f-fd49-4d8d-aa3a-7f1644faff12",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:32ca7685-c545-43d0-88df-78fccfbeee38"
---
> "bom-ref": "urn:uuid:56c0620f-fd49-4d8d-aa3a-7f1644faff12"
432c432
< "ref": "urn:uuid:32ca7685-c545-43d0-88df-78fccfbeee38",
---
> "ref": "urn:uuid:56c0620f-fd49-4d8d-aa3a-7f1644faff12",
diff --color -r before/gems/gitlab-active-context/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-active-context/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:b1a5d9d9-b9d0-4617-a66b-7f13388e0a75",
---
> "serialNumber": "urn:uuid:7cc0f88c-1dd4-4b88-85af-dc043b65aabc",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:b1a5d9d9-b9d0-4617-a66b-7f13388e0a75"
---
> "bom-ref": "urn:uuid:7cc0f88c-1dd4-4b88-85af-dc043b65aabc"
1234c1234
< "ref": "urn:uuid:b1a5d9d9-b9d0-4617-a66b-7f13388e0a75",
---
> "ref": "urn:uuid:7cc0f88c-1dd4-4b88-85af-dc043b65aabc",
diff --color -r before/gems/gitlab-backup-cli/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-backup-cli/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:2632b3fa-0de2-4b70-a0b9-3f41e4804036",
---
> "serialNumber": "urn:uuid:d5bb1930-ec17-4664-86af-e61a926df9f2",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:2632b3fa-0de2-4b70-a0b9-3f41e4804036"
---
> "bom-ref": "urn:uuid:d5bb1930-ec17-4664-86af-e61a926df9f2"
849c849
< "ref": "urn:uuid:2632b3fa-0de2-4b70-a0b9-3f41e4804036",
---
> "ref": "urn:uuid:d5bb1930-ec17-4664-86af-e61a926df9f2",
diff --color -r before/gems/gitlab-database-load_balancing/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-database-load_balancing/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:f0f6aff0-8557-4936-9621-4713d6991d1d",
---
> "serialNumber": "urn:uuid:60dc7847-f3b4-4402-a557-b8858a7c12f5",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:f0f6aff0-8557-4936-9621-4713d6991d1d"
---
> "bom-ref": "urn:uuid:60dc7847-f3b4-4402-a557-b8858a7c12f5"
1354c1354
< "ref": "urn:uuid:f0f6aff0-8557-4936-9621-4713d6991d1d",
---
> "ref": "urn:uuid:60dc7847-f3b4-4402-a557-b8858a7c12f5",
diff --color -r before/gems/gitlab-database-lock_retries/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-database-lock_retries/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:78d52062-1a8e-4fa8-988a-e6da687db9ce",
---
> "serialNumber": "urn:uuid:51f3e6c1-fbb9-4806-9391-9f5ad4ab7419",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:78d52062-1a8e-4fa8-988a-e6da687db9ce"
---
> "bom-ref": "urn:uuid:51f3e6c1-fbb9-4806-9391-9f5ad4ab7419"
482c482
< "ref": "urn:uuid:78d52062-1a8e-4fa8-988a-e6da687db9ce",
---
> "ref": "urn:uuid:51f3e6c1-fbb9-4806-9391-9f5ad4ab7419",
diff --color -r before/gems/gitlab-grape-openapi/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-grape-openapi/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:11a2c24b-fe23-4b6b-b6fd-82f224900c44",
---
> "serialNumber": "urn:uuid:47fabf53-c839-4ff4-bc79-ee6b2626c491",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:11a2c24b-fe23-4b6b-b6fd-82f224900c44"
---
> "bom-ref": "urn:uuid:47fabf53-c839-4ff4-bc79-ee6b2626c491"
681c681
< "ref": "urn:uuid:11a2c24b-fe23-4b6b-b6fd-82f224900c44",
---
> "ref": "urn:uuid:47fabf53-c839-4ff4-bc79-ee6b2626c491",
diff --color -r before/gems/gitlab-housekeeper/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-housekeeper/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:7baf9730-4e93-4420-b957-926c489b6b32",
---
> "serialNumber": "urn:uuid:4b60d440-4c50-42fe-8eeb-6cc3cd2f6545",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:7baf9730-4e93-4420-b957-926c489b6b32"
---
> "bom-ref": "urn:uuid:4b60d440-4c50-42fe-8eeb-6cc3cd2f6545"
1041c1041
< "ref": "urn:uuid:7baf9730-4e93-4420-b957-926c489b6b32",
---
> "ref": "urn:uuid:4b60d440-4c50-42fe-8eeb-6cc3cd2f6545",
diff --color -r before/gems/gitlab-http/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-http/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:218ccd6f-4ae6-481d-a834-b4d953b0454c",
---
> "serialNumber": "urn:uuid:1a75f1d0-0a2e-47b8-aace-e920d60f1ef5",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:218ccd6f-4ae6-481d-a834-b4d953b0454c"
---
> "bom-ref": "urn:uuid:1a75f1d0-0a2e-47b8-aace-e920d60f1ef5"
917c917
< "ref": "urn:uuid:218ccd6f-4ae6-481d-a834-b4d953b0454c",
---
> "ref": "urn:uuid:1a75f1d0-0a2e-47b8-aace-e920d60f1ef5",
diff --color -r before/gems/gitlab-rspec/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-rspec/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:4ae9af67-f4e4-4a28-9bb6-18ddc6b8382e",
---
> "serialNumber": "urn:uuid:1401d8c9-8950-4c66-a9e1-990e411efa63",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:4ae9af67-f4e4-4a28-9bb6-18ddc6b8382e"
---
> "bom-ref": "urn:uuid:1401d8c9-8950-4c66-a9e1-990e411efa63"
798c798
< "ref": "urn:uuid:4ae9af67-f4e4-4a28-9bb6-18ddc6b8382e",
---
> "ref": "urn:uuid:1401d8c9-8950-4c66-a9e1-990e411efa63",
diff --color -r before/gems/gitlab-rspec_flaky/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-rspec_flaky/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:dd420beb-e33a-4d61-9a9a-ce51ce2fc7a8",
---
> "serialNumber": "urn:uuid:8bfd99f9-03f7-4a89-915a-0d90328377be",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:dd420beb-e33a-4d61-9a9a-ce51ce2fc7a8"
---
> "bom-ref": "urn:uuid:8bfd99f9-03f7-4a89-915a-0d90328377be"
638c638
< "ref": "urn:uuid:dd420beb-e33a-4d61-9a9a-ce51ce2fc7a8",
---
> "ref": "urn:uuid:8bfd99f9-03f7-4a89-915a-0d90328377be",
diff --color -r before/gems/gitlab-safe_request_store/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-safe_request_store/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:b40bdd69-31a7-4984-a259-b2f0a4497f41",
---
> "serialNumber": "urn:uuid:f1bcf611-a664-4ed8-9825-e92a423f8a5a",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:b40bdd69-31a7-4984-a259-b2f0a4497f41"
---
> "bom-ref": "urn:uuid:f1bcf611-a664-4ed8-9825-e92a423f8a5a"
452c452
< "ref": "urn:uuid:b40bdd69-31a7-4984-a259-b2f0a4497f41",
---
> "ref": "urn:uuid:f1bcf611-a664-4ed8-9825-e92a423f8a5a",
diff --color -r before/gems/gitlab-schema-validation/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-schema-validation/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:8ef89cf0-6eda-4bca-98c3-4cb14f7b1d3a",
---
> "serialNumber": "urn:uuid:bce0806b-83c2-45ac-b42b-bb0685222111",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:8ef89cf0-6eda-4bca-98c3-4cb14f7b1d3a"
---
> "bom-ref": "urn:uuid:bce0806b-83c2-45ac-b42b-bb0685222111"
648c648
< "ref": "urn:uuid:8ef89cf0-6eda-4bca-98c3-4cb14f7b1d3a",
---
> "ref": "urn:uuid:bce0806b-83c2-45ac-b42b-bb0685222111",
diff --color -r before/gems/gitlab-utils/gl-sbom-gem-bundler.cdx.json after/gems/gitlab-utils/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:e159472c-cbfc-47d5-b3d8-8b38db554016",
---
> "serialNumber": "urn:uuid:670adc92-f42b-4345-85cd-e8ddf3c704f6",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:e159472c-cbfc-47d5-b3d8-8b38db554016"
---
> "bom-ref": "urn:uuid:670adc92-f42b-4345-85cd-e8ddf3c704f6"
863c863
< "ref": "urn:uuid:e159472c-cbfc-47d5-b3d8-8b38db554016",
---
> "ref": "urn:uuid:670adc92-f42b-4345-85cd-e8ddf3c704f6",
diff --color -r before/gems/ipynbdiff/gl-sbom-gem-bundler.cdx.json after/gems/ipynbdiff/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:eb19ead3-9564-4a53-ba09-8103a5ddd9d2",
---
> "serialNumber": "urn:uuid:7ecbd8f4-128e-4567-9e8e-0e821d45a22c",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:eb19ead3-9564-4a53-ba09-8103a5ddd9d2"
---
> "bom-ref": "urn:uuid:7ecbd8f4-128e-4567-9e8e-0e821d45a22c"
630c630
< "ref": "urn:uuid:eb19ead3-9564-4a53-ba09-8103a5ddd9d2",
---
> "ref": "urn:uuid:7ecbd8f4-128e-4567-9e8e-0e821d45a22c",
diff --color -r before/gems/mail-smtp_pool/gl-sbom-gem-bundler.cdx.json after/gems/mail-smtp_pool/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:5a74fb39-bb96-4061-91d6-344d9743c075",
---
> "serialNumber": "urn:uuid:0607d8ef-935e-4f98-8439-9e70ce19d23c",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:5a74fb39-bb96-4061-91d6-344d9743c075"
---
> "bom-ref": "urn:uuid:0607d8ef-935e-4f98-8439-9e70ce19d23c"
234c234
< "ref": "urn:uuid:5a74fb39-bb96-4061-91d6-344d9743c075",
---
> "ref": "urn:uuid:0607d8ef-935e-4f98-8439-9e70ce19d23c",
Only in after: gl-dependency-scanning-report.json
diff --color -r before/gl-sbom-gem-bundler.cdx.json after/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:bfd8a4be-6b98-43b5-8fb8-3803b64e862e",
---
> "serialNumber": "urn:uuid:64ab8870-f40e-4c8e-9924-bba9994fb2c4",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:bfd8a4be-6b98-43b5-8fb8-3803b64e862e"
---
> "bom-ref": "urn:uuid:64ab8870-f40e-4c8e-9924-bba9994fb2c4"
1452,1453c1452,1453
< "version": "18.4.1",
< "purl": "pkg:gem/gitaly@18.4.1",
---
> "version": "18.5.1",
> "purl": "pkg:gem/gitaly@18.5.1",
1455c1455
< "bom-ref": "pkg:gem/gitaly@18.4.1"
---
> "bom-ref": "pkg:gem/gitaly@18.5.1"
5985c5985
< "ref": "pkg:gem/gitaly@18.4.1",
---
> "ref": "pkg:gem/gitaly@18.5.1",
8646c8646
< "ref": "urn:uuid:bfd8a4be-6b98-43b5-8fb8-3803b64e862e",
---
> "ref": "urn:uuid:64ab8870-f40e-4c8e-9924-bba9994fb2c4",
8743c8743
< "pkg:gem/gitaly@18.4.1",
---
> "pkg:gem/gitaly@18.5.1",
diff --color -r before/gl-sbom-npm-yarn.cdx.json after/gl-sbom-npm-yarn.cdx.json
4c4
< "serialNumber": "urn:uuid:6ad9eb55-388d-4fbf-b265-82a1d93fc454",
---
> "serialNumber": "urn:uuid:9ad725cb-8273-4ce8-a0f8-78b5ffb94029",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:6ad9eb55-388d-4fbf-b265-82a1d93fc454"
---
> "bom-ref": "urn:uuid:9ad725cb-8273-4ce8-a0f8-78b5ffb94029"
25097c25097
< "ref": "urn:uuid:6ad9eb55-388d-4fbf-b265-82a1d93fc454",
---
> "ref": "urn:uuid:9ad725cb-8273-4ce8-a0f8-78b5ffb94029",
diff --color -r before/gl-sbom-pypi-pipenv.cdx.json after/gl-sbom-pypi-pipenv.cdx.json
4c4
< "serialNumber": "urn:uuid:ef79301f-e349-4bab-aa85-2b18843a2b20",
---
> "serialNumber": "urn:uuid:eda6f796-033e-40c7-888e-e025cc3401df",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:ef79301f-e349-4bab-aa85-2b18843a2b20"
---
> "bom-ref": "urn:uuid:eda6f796-033e-40c7-888e-e025cc3401df"
diff --color -r before/qa/gl-sbom-gem-bundler.cdx.json after/qa/gl-sbom-gem-bundler.cdx.json
4c4
< "serialNumber": "urn:uuid:bca5cc01-cba9-42de-9bb6-ea26925e2a43",
---
> "serialNumber": "urn:uuid:a78ae9cb-e68d-46c4-bef6-c3059ac2ccfc",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:bca5cc01-cba9-42de-9bb6-ea26925e2a43"
---
> "bom-ref": "urn:uuid:a78ae9cb-e68d-46c4-bef6-c3059ac2ccfc"
1734c1734
< "ref": "urn:uuid:bca5cc01-cba9-42de-9bb6-ea26925e2a43",
---
> "ref": "urn:uuid:a78ae9cb-e68d-46c4-bef6-c3059ac2ccfc",
diff --color -r before/rubocop/docs-hugo/gl-sbom-go-go.cdx.json after/rubocop/docs-hugo/gl-sbom-go-go.cdx.json
4c4
< "serialNumber": "urn:uuid:134eb328-09f6-487e-bf7c-ab54d0e12f10",
---
> "serialNumber": "urn:uuid:4908e8e1-ad05-4dd9-8a38-3423756753e6",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:134eb328-09f6-487e-bf7c-ab54d0e12f10"
---
> "bom-ref": "urn:uuid:4908e8e1-ad05-4dd9-8a38-3423756753e6"
diff --color -r before/workhorse/gl-sbom-go-go.cdx.json after/workhorse/gl-sbom-go-go.cdx.json
4c4
< "serialNumber": "urn:uuid:cfbf400b-f953-464a-9381-269ae8577f07",
---
> "serialNumber": "urn:uuid:f4ebefb5-0ec9-4242-a8fe-7d5efbcf4038",
7c7
< "timestamp": "2025-10-22T06:46:54Z",
---
> "timestamp": "2025-10-22T08:55:04Z",
12c12
< "version": "0.44.2",
---
> "version": "1.1.1",
32c32
< "bom-ref": "urn:uuid:cfbf400b-f953-464a-9381-269ae8577f07"
---
> "bom-ref": "urn:uuid:f4ebefb5-0ec9-4242-a8fe-7d5efbcf4038"
1187c1187
< "ref": "urn:uuid:cfbf400b-f953-464a-9381-269ae8577f07",
---
> "ref": "urn:uuid:f4ebefb5-0ec9-4242-a8fe-7d5efbcf4038",In this job you can see the same files but with Static Reachability information.
Performance considerations: before SR 1m43s , with SR 1m58s . These numbers though might not show the whole truth about SR performance. Looking into the observability data we see that SR added a total of 22sec to the execution time of the dependency-scanning job.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Nick Ilieskou