Gemnasium reports fail schema validation when the dependency_files field does not exist
Summary
The gitlab.com/gitlab-org/security-products/analyzers/report/v3
go module before v3.15.4 did not generate reports that passed
the security report v14 schema validation. This causes ingested reports to error out when no dependency files have been found.
Steps to reproduce
- Run dependency scan on a project that does not include a parseable lock file. For example, a Ruby project with a Gemfile but no Gemfile.lock.
- Verify that the security tab mentions that the
dependency_files
field is required but not provided.
What is the current bug behavior?
The schema validation does not pass when no scannable dependency files are found e.g. Gemfile.lock.
What is the expected correct behavior?
The report should output an empty array or null value when no dependency_files
are found.
Workaround
The workaround for this is to add a before_script
to the analyzer so that it removes the requirements file if the associated lock file does not exist in the project. Alternatively, the script can build the lock file as well.
Option A:
gemnasium_dependency_scanning:
before_script:
- "rm -v ${CI_PROJECT_DIR}/Gemfile"
Option B:
gemnasium_dependency_scanning:
before_script:
- "..." # Install required package manager e.g. bundler
- "bundler lock --lockfile=${CI_PROJECT_DIR}"
The workarounds above are not targeted for vendored dependencies.
Fix
Upgrade Gemnasium to v3.15.5
or later of gitlab.com/gitlab-org/security-products/analyzers/report/v3
(or later).