Gemnasium generates invalid reports for Nuget dependencies with no resolved versions

Summary

The Gemnasium analyzer generates invalid Dependency Scanning (DS) reports when processing Nuget packages.lock.json files with Project dependencies that don't have a resolved version. That's because the DS report format requires a version.

Steps to reproduce

Running a security scan on a clone of this project will show the failure in the Pipeline → Security tab.

https://gitlab.com/gitlab-gold/duncan/gitlabdepscanrepro/-/pipelines/810354701/security

Example Project

https://gitlab.com/gitlab-gold/duncan/gitlabdepscanrepro/

https://gitlab.com/gitlab-gold/duncan/gitlabdepscanrepro/-/blob/a886904190472f3ba9e226d09587d16990f81df9/packages.lock.json#L12

{
  "version": 1,
  "dependencies": {
    ".NETFramework,Version=v4.6.2": {
      "Newtonsoft.Json": {
        "type": "Direct",
        "requested": "[13.0.3, )",
        "resolved": "13.0.3",
        "contentHash": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ=="
      },
      "aclasslibrary": {
        "type": "Project"
      }
    },
    ".NETFramework,Version=v4.6.2/win": {},
    ".NETFramework,Version=v4.6.2/win-x64": {},
    ".NETFramework,Version=v4.6.2/win-x86": {}
  }
}

What is the current bug behavior?

The parser will report an error processing the report because [Schema] property '/dependency_files/0/dependencies/1' is missing required keys: version

What is the expected correct behavior?

The Package.lock.json doesn't have a version for dependencies of type project. The report should not fail with a parse error when the version field is missing.

Relevant logs and/or screenshots


The following security reports contain one or more vulnerability findings that could not be parsed and were not recorded. To investigate a report, download the artifacts in the job output. Ensure the security report conforms to the relevant

•[Schema] property '/dependency_files/0/dependencies/1' is missing required keys: version

Customer reported this issue in a Confidential Support ticket

Output of checks

GitLab Enterprise Edition 15.10.0-pre ef5c8d18a7b

Workarounds

Alter the Dependency Scanning report before its uploaded by the gemnasium-dependency_scanning CI job, and remove .dependency_files[].dependencies objects such as version is empty. This can be implemented using jq, and run in the after_script of the CI job.

Possible fixes

Remove omitempty from json field options for Dependency.Version.
Skip Project dependencies when parsing Nuget lock files. See nuget.go.
Skip Project dependencies that don't have resolved version.
Update the report schema to allow empty version fields in dependency_files[].dependencies[].
Output a non-empty version when the version is unknown, to make the report valid.

Proposal

Remove omitempty from json field options for Dependency.Version, so that .dependency_files[].dependencies[].version field of report (output) is an empty string when the resolved field of the lock file (input) is empty or does not exist.

The JSON schema accepts empty strings: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/3b3b76e83722a97181f52f473a80f2f5713591e6/dist/dependency-scanning-report-format.json#L999

Implementation plan

Update report project.
- Remove omitempty from json field options for Dependency.Version.
- Update the corresponding unit tests.
- Release new version.
Update Gemnasium
- Upgrade report module.
- Optional: Add integration test.
- Release new version.

Edited Oct 02, 2023 by Fabien Catteau