Dependency scan report validation error when using local dependencies in package.json
Summary
After running Dependency scanning in a Javascript project with local dependencies defined in the package-lock.json
, a report validation error appears in the security tab of the relevant pipeline:
[Schema] property '/dependency_files/0/dependencies/0' is missing required keys: version.
This occurs with schema model 15 but the error does not appear in schema model 14.
This is due to the fact that schema versions 15.x.x
require a version
e.g 1.0.0
to be specified for dependencies in the package-lock.json
file, which will be subsequently be included in the gl-dependency-scan-report.json
artifact.
This field was not explicitly required in schema version 14.x.x
This was brought up in a Zendesk Ticket - internal only
Steps to reproduce
-
Create a folder locally with a
package.json
file. -
In the
package.json
file, define a dependency in this format:"dependencies": { "mycoolmod": "file:../foo/bar" }
-
Generate the
package-lock.json
e.g by runningnpm install
in the directory where thepackage.json
file is located -
Push the folder to GitLab and configure Dependency scanning
-
Once the pipeline is complete, check the security tab. You will find a report validation error.
Example Project
What is the current bug behavior?
The Security tab shows a report validation error and thus such dependencies are not included in the pipeline security report and the project vulnerability report as well.
What is the expected correct behavior?
Local dependencies without a version number should be handled correctly by gemnasium to avoid report validation errors.
Relevant logs and/or screenshots
Error in the UI:
The gl-dependency-scanning-report.json
has the entry for such dependencies as:
"dependency_files": [
{
"path": "package-lock.json",
"package_manager": "npm",
"dependencies": [
{
"package": {
"name": "mycoolmod"
}
},
....
An entry that has a version should look like this:
"dependency_files": [
{
"path": "package-lock.json",
"package_manager": "npm",
"dependencies": [
{
"package": {
"name": "mycoolmod"
},
"version": "1.1.2"
},
....
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing)
Workarounds
Revert to v14
Use the DS_SCHEMA_VERSION
CI/CD variable to pin to an earlier version of the schema that is used for report validation.
gemnasium-dependency_scanning:
variables:
DS_SCHEMA_MODEL: 14
Please note that this is a temporary work around because schemas version 14.x.x will be deprecated in GitLab Version 16.
Remove dependencies from report
Add an after_script
to the gemnasium-dependency_scanning
job to remove dependencies that don't have a version from dependency_files
. This can be implemented using jq
for instance.
Possible fixes
- Change the report format to allow unknown versions.
- Omit dependencies that don't have a version, to have a valid report. #393849 (comment 1376533316)
- Update the
gemnasium
parser to use a dummy version for local dependencies, such aslocal
.
Proposal
Omit dependencies that don't have a version, to have a valid report. #393849 (comment 1376533316)
See #393849 (comment 1303327841)
Implementation Plan
-
Update the FileConverter.DependencyFile
function to exclude any dependencies with a missing version.