gemnasium-maven v2.27.3 fails with StackOverflowError (Gradle)
Summary
When scanning specific Gradle projects, the gemnasiumDumpDependencies
Gradle task of the gemnasium-maven
analyzer fails with a java.lang.StackOverflowError
exception.
This regression was introduced in gemnasium-maven v2.27.3 when solving Dependency Scanning incorrectly handles nested ... (#348716 - closed). This version was deployed on Mar 17, 2022 8:09am GMT+0100 via https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/jobs/2214262640.
gemnasium-maven v2.27.3 uses gemnasium-gradle-plugin v1.0.0, which is responsible for the exception. See gitlab-org/security-products/analyzers/gemnasium-gradle-plugin!19 (merged)
Workaround
Revert to gemnasium-maven v2.27.2 by forcing DS_MAJOR_VERSION
or DS_ANALYZER_IMAGE
in the definition of the scanning job. To do so, add the following snipped to your CI configuration file:
gemnasium-maven-dependency_scanning:
variables:
DS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2.27.2"
Warning! You will no longer benefit from updates. See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#i-no-longer-get-the-latest-docker-image-after-setting-ds_major_version-or-ds_analyzer_image
Steps to reproduce
At this time we don't know what triggers this bug.
Example Project
What is the current bug behavior?
The gemnasiumDumpDependencies
Gradle task fails, making the gemnasium-maven-dependency_scanning
CI job fail.
What is the expected correct behavior?
Scan is successful.
Relevant logs and/or screenshots
Starting a Gradle Daemon (subsequent builds will be faster)
> Task :gemnasiumDumpDependencies
> Task :gemnasiumDumpDependencies FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':gemnasiumDumpDependencies'.
> java.lang.StackOverflowError (no error message)