Fix NoMethodError in dependency list page
What does this MR do and why?
Fixes the NoMethodError when accessing dependency list page for projects that has both dependency scanner and license scanner configured and the dependency scanner injects an invalid ancestor id.
See context: #415104 (closed)
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
Steps to reproduce
- Create a new project with the following files:
.gitlab-ci.yml
dependency_scanning:
script:
- echo "test failing dependencies"
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
license_scanning:
script:
- echo "test failing dependencies"
artifacts:
reports:
license_scanning: gl-license-scanning-report.jsongl-dependency-scanning-report.json
{
"version": "15.0.0",
"scan": {
"analyzer": {
"id": "gemnasium",
"name": "Gemnasium",
"url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
"vendor": {
"name": "GitLab"
},
"version": "4.0.2"
},
"scanner": {
"id": "gemnasium",
"name": "Gemnasium",
"url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
"vendor": {
"name": "GitLab"
},
"version": "4.0.2"
},
"type": "dependency_scanning",
"start_time": "2023-06-08T14:46:48",
"end_time": "2023-06-08T14:46:53",
"status": "success"
},
"dependency_files": [
{
"path": "BoloServices.JobFramework.Workflow.Activities/packages.lock.json",
"package_manager": "nuget",
"dependencies": [
{
"iid": 13,
"dependency_path": [
{
"iid": 52
},
{
"iid": 67
},
{
"iid": 11
}
],
"package": {
"name": "Microsoft.AspNetCore.Http"
},
"version": "2.1.1"
},
{
"iid": 11,
"package": {
"name": "NLog.Web.AspNetCore"
},
"version": "4.9.0"
},
{
"iid": 67,
"package": {
"name": "RSA.seahorse.Logging"
},
"version": "1.0.16"
}
]
}
],
"vulnerabilities": [
{
"id": "853e5bd2f40053a75ff373dcf1a4862db71cf621c08dbf253c5562c5ac75bb7f",
"name": "Cookie parsing failure",
"description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.",
"cve": "",
"severity": "High",
"solution": "Upgrade to version 2.1.22 or above.",
"location": {
"file": "BoloServices.JobFramework.Workflow.Activities/packages.lock.json",
"dependency": {
"iid": 13,
"package": {
"name": "Microsoft.AspNetCore.Http"
},
"version": "2.1.1"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-744de9f2-7edb-4e53-976c-d20777c420f8",
"value": "744de9f2-7edb-4e53-976c-d20777c420f8",
"url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/nuget/Microsoft.AspNetCore.Http/CVE-2020-1045.yml"
}
],
"links": [
{
"url": "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
}
],
"details": {
"introduced_by_package": {
"type": "text",
"name": "Introduced by Package",
"value": "BoloServices.jobframework:"
},
"shortest_path": {
"type": "list",
"name": "Shortest Path",
"items": [
{
"type": "text",
"value": "BoloServices.jobframework:"
}
]
},
"vulnerable_package": {
"type": "text",
"name": "Vulnerable Package",
"value": "Microsoft.AspNetCore.Http:2.1.1"
}
}
}
]
}gl-license-scanning-report.json
{
"version": "2.1",
"licenses": [
{
"id": "Apache-2.0",
"name": "Apache License 2.0",
"url": "https://opensource.org/licenses/Apache-2.0"
}
],
"dependencies": [
{
"name": "AWS.Logger.AspNetCore",
"version": "2.1.1",
"package_manager": "nuget",
"path": "Bolo.JobEngine.sln",
"licenses": [
"https://aws.amazon.com/apache-2-0/"
]
},
{
"name": "AWS.Logger.Core",
"version": "1.5.1",
"package_manager": "nuget",
"path": "Bolo.JobEngine.sln",
"licenses": [
"https://aws.amazon.com/apache-2-0/"
]
}
]
}- Trigger a new pipeline on the default branch
- Ping
http://<HOST>/<PROJECT_FULL_PATH>/-/dependencies.json
The following error will be triggered:
NoMethodError at /root/test-dependency/-/dependencies.json
undefined method `fetch' for nil:NilClass
next ancestor unless ancestor.fetch(:iid, false) # `block (2 levels) in augment_ancestors!': undefined method `fetch' for nil:NilClass - With the fix, we should not see the NoMethodError.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #414559 (closed)
Edited by Bala Kumar