Improve logging and troubleshooting when Dependency Scanning job runs but there is no matching dependency file found
Release notes
Problem to solve
By design, the Dependendy Scanning job is trigged based on file match in the repository, using CI keyword rules:exists.
Though, when executed, the scanner will have some additional detection logic than can lead to a no match found situation. When this happens, the job successfully exits with 0 and no report is uploaded.
Here is a example job log output:
$ /analyzer run
[INFO] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/cmd/gemnasium/main.go:74] ▶ GitLab Gemnasium analyzer v4.0.3
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: .
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:96] ▶ skip ignored directory: .git
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:96] ▶ skip ignored directory: .mvn
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: config
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: config/desktop
[WARN] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:122] ▶ Subdirectories of config/desktop are not searched due to the environment variable DS_MAX_DEPTH value of 2
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: docs
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: docs/images
[WARN] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:122] ▶ Subdirectories of docs/images are not searched due to the environment variable DS_MAX_DEPTH value of 2
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: robot
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: src
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:88] ▶ skip excluded path: src/test
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: src/it
[WARN] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:122] ▶ Subdirectories of src/it are not searched due to the environment variable DS_MAX_DEPTH value of 2
[DEBU] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: src/main
[WARN] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/finder/finder.go:122] ▶ Subdirectories of src/main are not searched due to the environment variable DS_MAX_DEPTH value of 2
[WARN] [Gemnasium] [2023-06-19T13:13:56Z] [/go/src/app/cmd/gemnasium/main.go:237] ▶ No match in /builds/gl-demo-ultimate-tgieschen/webgoat-poc
+ exit 0Proposal
Help users by providing more hepful log and pointing to troubleshooting docs.
Possible reasons to be in such a situation and worth highlighting:
- there are too many files in the project which skips the rules and trigger the job anyway. This is documented: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#limitation-when-using-rulesexists
- the rules find a file in a folder that is not considered by the scanner. Either because
- it was skipped (e.g within test folder):
- example:
skip excluded path: src/test - configure with
DS_EXCLUDED_PATHS
- example:
- it is too deep in the folder structure:
DS_MAX_DEPTH- example:
Subdirectories of src/it are not searched due to the environment variable DS_MAX_DEPTH value of 2 - configure with
DS_MAX_DEPTH
- example:
- it was skipped (e.g within test folder):
For instance, the directory depths is better explained in the logs with Subdirectories of src/main are not searched due to the environment variable DS_MAX_DEPTH value of 2.
Edited by Olivier Gonzalez