Dependency List is empty when a pipeline runs with other security scans but DS
Summary
The dependency list is emtpy on the Gitlab project. The bug is identified as coming from the logic that defines which pipeline to fetch dependency report from. Currently this is a shared logic that "fetches the latest pipeline with {any} security reports". In the GitLab project, due to highly customized rules, it happens that SAST jobs runs in some pipelines where Dependency Scanning one doesn't. As a result, the dependency list is empty as there is no DS report available in that pipeline.
Steps to reproduce
- Configure a project with DS and at least one other security feature.
- Run a pipeline with DS jobs => the dependency list is filled
- Run a pipeline with the other security job but not DS => the dependency list is empty
Example Project
https://gitlab.com/gitlab-org/gitlab
What is the current bug behavior?
- The dependency list is empty has looking for data in the latest pipeline with ANY security report
What is the expected correct behavior?
- The dependency list fetches data from the latest pipeline with Dependency Scanning report
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)