Skip to content

Propagate env vars to Dependency Scanning for Python, Java Maven (Gemnasium)

Summary

Environment variables set in the context of dependency_scanning jobs are not propagated to the Docker containers used to perform Dependency Scanning (DS) on Python projects and Java Maven projects (Gemnasium client).

Steps to reproduce

  • Create a Python or Maven project where some environment variables are required to install the project dependencies. It could be HTTP_PROXY, PIP_INDEX_URL or others.
  • Enable Dependency Scanning and add the env vars to the job definition.
  • Run the pipeline.

Example Project

TODO: provide example project

What is the current bug behavior?

Dependency Scanning fails because the env vars are not set when attempting to install Python dependencies using pip install or Java Maven dependencies using mvn.

What is the expected correct behavior?

DS job should fetch the dependencies using the env vars.

Possible fixes

Propagate the env vars when configuring the Docker container.

See https://gitlab.com/gitlab-org/security-products/gemnasium/client/blob/master/generator/docker.go