Dependency Scanner fails when there are no dependencies

Summary

Having a supported dependency/lock file without any packages defined in it will cause the dependency scanner job to run, but to fail with an error.

This was reported by a large, GitLab Ultimate customer in a Support ticket. CC @cbazan1

Steps to reproduce

1. Create a new project with the following package file in the root of the repository:

   {
     "name": "test-empty-package",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {}
   }

2. Enable dependency scanning.
3. Run a pipeline. The dependency scanning job should show this behavior.

Example Project

What is the current bug behavior?

Dependency scanning fails when there are no packages.

What is the expected correct behavior?

Dependency scanning succeeds with an outputted message in the job log to indicate that no packages were scanned. This would prevent pipelines from failing when no packages are actually being used.

Relevant logs and/or screenshots

The error will look something like this (when scanning a package-lock.json file):

[FATA] [dependency-scanning] [2025-05-13T15:22:03Z] [/go/src/app/cmd/dependency-scanning/main.go:43] ▶ scanning file package-lock.json: parsing file package-lock.json: missing application entry

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

As an example, an error is returned in this part of the code when scanning NPM files without dependencies defined: https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning/-/blob/main/scanner/parser/npm/levelmap.go#L60

It would be nice if we could detect this type of error in the main function and return a non-fatal message, like "No packages detected, exiting."