gemnasium python error since 3.10.8 - pipdeptree.json invalid character '/'
Summary
Customer sees an error in all versions since 3.10.8 (3.10.8, 3.10.9, 3.11):
[FATA] [gemnasium-python] [2022-12-14T12:18:21Z] [/go/src/app/cmd/gemnasium-python/main.go:59] ▶ scanning file /tmp/app/app/pipdeptree.json: finding package affections for file /tmp/app/app/pipdeptree.json: resolving queries: invalid character '/' looking for beginning of valueCustomer has pinned the analyzer version to 3.10.7 as a workaround.
Looking at the CHANGELOG between v3.10.7 and v3.10.8, there is only one MR listed: gitlab-org/security-products/analyzers/gemnasium!447 (merged)
According to the log files, when the following command runs by Gemnasium
/usr/local/bin/pipenv run /vrange/python/rangecheck.py /tmp/vrange_queries1928229975a warning is printed in the output before the range query:
/tmp/.local/lib/python3.9/site-packages/pkg_resources/__init__.py:123: PkgResourcesDeprecationWarning: 1.2b3.0 is an invalid version and will not be supported in a future release warnings.warn( [
this warning which starts with / is captured in the out variable. When we try to parse the out we get an error saying : invalid character '/' looking for beginning of value
According to the log file, the packaging dependency is installed with version 21.3 while the one we currently install/vendor with the gemnasium-python image is 19.2. This bug can be fixed by updating our Pipefile.lock to include the latest version. We should also add a test in vrange_test.py to ensure that we won't regress for this edge case.
Steps to reproduce
Unable to reproduce with their requirements.txt
Example Project
See ZenDesk ticket (internal)
What is the current bug behavior?
Analyzer fails scanning file pipdeptree.json, which seems to be created by the analyzer itself.
What is the expected correct behavior?
Analyzer successfully completes and uploads report artifact.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)