Dependency Scanning's gemnasium-maven unexpectedly changes to $CI_PROJECT_DIR unlike other analyzers

Summary

gemnasium-maven cd's to the $CI_PROJECT_DIR. See https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/v5.2.7/build/gemnasium-maven/analyzer-wrapper?ref_type=tags#L19-20

The other analyzers (gemnasium and gemnasium-python) do not do this directory change.

This directory change is needless and surprising.

Steps to reproduce

Define a job using the image registry.gitlab.com/security-products/gemnasium-maven:latest
In the script, cd to a directory then run /analyzer sbom

Actual: The analyzer runs on $CI_PROJECT_DIR

Expected: The analyzer should run on the current working directory, which is what happens when the same test is done using registry.gitlab.com/security-products/gemnasium:latest or registry.gitlab.com/security-products/gemnasium-python:latest

Example Project

https://gitlab.com/candrews/gemnasium-select-dir

In this project, the directory is changed to maven using cd maven before running /analyzer from GitLab Dependency Scanning's gemnasium-maven.

What is the current bug behavior?

Actual: an sbom is generated in the gradle directory.

What is the expected correct behavior?

Expected: an sbom should be generated in the maven directory.

Relevant logs and/or screenshots

See the pipeline of that project for full output.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/v5.2.7/build/gemnasium-maven/analyzer-wrapper?ref_type=tags#L19-20

Workaround

A fix was released in v5.2.12 of gemnasium-maven. A workaround before this would be to use an absolute path to the target project like so.

# Alternatively, you can use the ANALYZER_TARGET_DIR to override the target directory.
/analyzer --target-dir /path/to/project/root

Edited Jun 20, 2024 by Oscar Tovar