Dependency Scanning with DinD "true" - Job succeeds but report fails
Summary
When working with a customer we discovered that turning off DinD for Dependency Scanning resulted in passed pipeline but no gl-sast-report.json file. In the log file you will see - \
Uploading artifacts... WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
Job succeeded
Steps to reproduce
I have been working with @ifrenkel, @theoretick and @gonzoyumo on this issue on Tue Dec 3, 2019. See my example/test project below and refer to MR !1 (closed) and Pipeline #100341020 and the log for job "gemnasium-maven-dependency_scanning".
Example Project
This is the test project - https://gitlab.com/mark.cesario/testing/test-removing-dind.
Note: This is a Private project. Let me know who needs access and I will add them as members.
What is the current bug behavior?
DS job succeeds but the artifact fails and it never shows up in the MR.
What is the expected correct behavior?
I would expect the report would not fail and I would see the DS results in MR. Note, I see "Dependency scanning: Loading resulted in an error" in the MR. This doesn't seem like a reasonable error message.
(What you should see instead)
I would either like to see the DS report or an error message stating the job passed but the report failed for "x" reason.
Relevant logs and/or screenshots
Please see my test projects and MR ! 1
Output of checks
This bug happens on GitLab.com.
Results of GitLab environment info
This happens on gitlab.com
Results of GitLab application Check
This happens on gitlab.com
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)