Feature Proposal: Add GitLab Repository Metadata Analyzer #5305

ahmadalfy · 2025-09-16T19:05:20Z

ahmadalfy
Sep 16, 2025

I’d like to propose a new feature: adding support for GitLab repositories in Dependency-Track, similar to the existing GithubMetaAnalyzer.

Many organizations (ours included) host their code and internal packages on GitLab rather than GitHub.
Currently, Dependency-Track can enrich GitHub components with metadata (latest release, commit information, published timestamps), but GitLab components are treated as generic sources without metadata analysis.
Adding GitLab support would provide parity between the two platforms and extend Dependency-Track’s usefulness for enterprises using GitLab.

Introduce a new GitlabMetaAnalyzer that:

Detects pkg:gitlab/... package URLs (similar to how GithubMetaAnalyzer detects pkg:github/...).
Connects to GitLab’s REST API ([GitLab API](https://docs.gitlab.com/api/)).
Determines whether the version in the pURL corresponds to:
- A release tag (/projects/:id/releases)
- A commit SHA (/projects/:id/repository/commits/:sha)
Retrieves metadata:
- Latest release version (GET /projects/:id/releases/latest)
- Commit or release publish date
- Default branch and latest commit

Create GitlabMetaAnalyzer extending AbstractMetaAnalyzer.
Add repository type constant: RepositoryType.GITLAB.
Implement authentication options:
- Anonymous (for public GitLab.com repos)
- Private token / OAuth (for private/self-hosted instances)
Mirror the structure of GithubMetaAnalyzer:
- isApplicable(Component) → checks for PackageURL.StandardTypes.GITLAB
- supportedRepositoryType() → returns RepositoryType.GITLAB
- get_version_type(...) → distinguish release vs commit
- analyze(Component) → fetch metadata via GitLab API

I’d be happy to draft an initial PR or collaborate on design if the team agrees this would be a valuable addition.