gemnasium-maven v2.27.3 fails with StackOverflowError (Gradle)
When scanning specific Gradle projects, the
gemnasiumDumpDependencies Gradle task of the
gemnasium-maven analyzer fails with a
This regression was introduced in gemnasium-maven v2.27.3 when solving Dependency Scanning incorrectly handles nested ... (#348716 - closed). This version was deployed on Mar 17, 2022 8:09am GMT+0100 via https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/jobs/2214262640.
gemnasium-maven v2.27.3 uses gemnasium-gradle-plugin v1.0.0, which is responsible for the exception. See gitlab-org/security-products/analyzers/gemnasium-gradle-plugin!19 (merged)
Revert to gemnasium-maven v2.27.2 by forcing
DS_ANALYZER_IMAGE in the definition of the scanning job. To do so, add the following snipped to your CI configuration file:
gemnasium-maven-dependency_scanning: variables: DS_ANALYZER_IMAGE: "registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2.27.2"
Warning! You will no longer benefit from updates. See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#i-no-longer-get-the-latest-docker-image-after-setting-ds_major_version-or-ds_analyzer_image
Steps to reproduce
At this time we don't know what triggers this bug.
What is the current bug behavior?
gemnasiumDumpDependencies Gradle task fails, making the
gemnasium-maven-dependency_scanning CI job fail.
What is the expected correct behavior?
Scan is successful.
Relevant logs and/or screenshots
Starting a Gradle Daemon (subsequent builds will be faster) > Task :gemnasiumDumpDependencies > Task :gemnasiumDumpDependencies FAILED FAILURE: Build failed with an exception. * What went wrong: Execution failed for task ':gemnasiumDumpDependencies'. > java.lang.StackOverflowError (no error message)