Retire analyzer fails with no explanation (Dependency Scanning)

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Release notes

Probably not relevant.

Problem to solve

In some cases the Retire.js analyzer (Dependency Scanning) fails with no explanation even though the log level is set to debug. Users need a clear error message so that they can fix the scanning job or the Node.js project being scanned.

Right now a workaround is to add the following code the project CI config so that the scanning job to executes retire.js in verbose mode:

retire-js-dependency_scanning:
  after_script:
    - retire --verbose

Intended users

User experience goal

Proposal

Run retire --verbose when retire --outputformat jsonsimple (default command) fails, in order to detailed error messages.

Further details

In some cases the retire command shows no error when the JSON output is requested. Here's a log shared by @sabinecarpenter:

[DEBU] [Retire.js] [2021-06-24T14:46:32Z] ▶ /usr/local/bin/retire --outputformat jsonsimple --outputpath retire.json --exitwith 0
exit status 1
Uploading artifacts for failed job

Please note that SECURE_LOG_LEVEL was set to debug, hence the [DEBU] message.

We suspect that retire --verbose (no JSON output) would provide more information on why the scan fails.

Permissions and Security

No change

Documentation

No change

Availability & Testing

To be tested using an image integration that checks for a specific error message when scanning a broken npm or yarn project, proving that retire --verbose is exited as a fallback to collect errors.

Available Tier

GitLab Ultimate

What does success look like, and how can we measure that?

Users can learn why the retire command has failed by reading the log of the retire.js-dependency_scanning job. They search for issues matching the error message or create a new issue with relevant details.