Dependencies API cannot filter out Go, NuGet, or Sbt dependencies
Summary
When listing project dependencies using the Dependencies API, having any of these values in the package_manager
parameter results in an error:
- go
- nuget
- sbt
This is because the endpoint ensures that package_manager
only includes values listed in DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES
, and some values are missing. As a result, parameter validation fails.
See DependencyListService and Dependencies API.
A workaround is to filter out dependencies based on the package_manager
field on the client side.
Original comment is #338252 (comment 655979215)
Steps to reproduce
- Create a test project using Sbt or any of the aforementioned package managers
- Enable Dependency Scanning
- List dependencies using the Dependencies API, and include any of the aforementioned values in the
package_manager
param
Example Project
https://gitlab.com/gitlab-org/security-products/tests/scala-sbt-multiproject/
What is the current bug behavior?
The API returns a validation error:
{
"error": "package_manager does not have a valid value"
}
What is the expected correct behavior?
The API properly filters out the dependencies that match the package_manager
param.
Possible fixes
Adding missing values to FILTER_PACKAGE_MANAGERS_VALUES
, in dependency_list_service.rb.
Alternatively, we could change the API endpoint to remove the check on package_manager
, for ease of maintenance.
Implementation plan
-
Adding missing values to FILTER_PACKAGE_MANAGERS_VALUES