No dependencies for a dependency file that is not affected
Summary
The Gemnasium-based analyzers won't generate a dependency list for a dependency file that is not affected by any vulnerability.
The bug is currently visible in the context of gitlab-ee. This project has a Gemfile.lock and a yarn.lock but the dependency list only contains npm packages, no Ruby gems. That's because Gemnasium finds a vulnerability in one of the npm the project depends on, but none in the Ruby gems.
The bug originates from the gemnasium analyzer that builds a list of affected sources to be later converted to a Dependency Scanning report but the affected sources with no affections are ignored. This also affected gemnasium-python and gemnasium-maven.
Steps to reproduce
- Create a project with a supported dependency file but no affected dependency
- Set up Dependency Scanning in the CI configuration file
- Go to Project > Dependency List
- There are not dependencies at all.
Example Project
Currently the issue is visible on GitLab EE:
https://gitlab.com/gitlab-org/gitlab-ee/dependencies
What is the current bug behavior?
The Ruby gems are not in the Dependency List.
What is the expected correct behavior?
The Ruby gems should be in the list.
Possible fixes
Remove the check that excludes the sources with no affections, publish a new version of gemnasium, then update the gemnasium
dependency in both gemnasium-python
and gemnasium-maven
.