Dependency Scanning incorrectly handles nested dependencies in Gradle project
Summary
A customer reported that for one of their project the log4j-core
vulnerability was not detected. It appears that the package itself is not detected as part of the dependency tree, whereas calling gradlew dependencies
shows it.
Extract from ./gradlew dependencies
:
runtimeClasspath - Runtime classpath of source set 'main'.
<snip>
+--- org.apache.logging.log4j:log4j-api:2.13.2
+--- org.apache.logging.log4j:log4j-slf4j-impl:2.13.2
| +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.30
| +--- org.apache.logging.log4j:log4j-api:2.13.2
| \--- org.apache.logging.log4j:log4j-core:2.13.2
| \--- org.apache.logging.log4j:log4j-api:2.13.2
Steps to reproduce
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation Plan
-
Change the gemnasium-gradle-plugin to remove all filtering and instead output dependencies for all scopes. See this MR for a starting point. -
Publish a new version of the gemnasium-gradle-plugin
with the above changes.https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-gradle-plugin/-/jobs/2202996136
-
Update gemnasium
to use the new version of thegemnasium-gradle-plugin
published in step2.
above- https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/22260f65066edff59f072c7c6ae6c43ba578320d/utils/gradle-plugin-builder/build.gradle#L5
- https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/blob/22260f65066edff59f072c7c6ae6c43ba578320d/gemnasium-gradle-plugin-init.gradle#L8
-
Update gemnasium
to remove duplicates from thegradle-dependencies.json
file generated by thegemnasium-gradle-plugin
. -
Add unit tests to gemnasium
for the above behaviour -
Add image integration tests to gemnasium
to ensure dependencies forcompile
andimplementation
directives are the same, and that nested dependencies are present. This build.gradle file can be used for a test project with nested dependencies using thecompile
directive, and this build.gradle can be used for a test project with nested dependencies using theimplementation
directive.