Skip to content

Fix NoMethodError in dependency list page

Bala Kumar requested to merge 414559-fix-for-5xx into master

What does this MR do and why?

Fixes the NoMethodError when accessing dependency list page for projects that has both dependency scanner and license scanner configured and the dependency scanner injects an invalid ancestor id.

See context: #415104 (closed)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screenshot_2023-07-14_at_7.37.10_PM Screenshot_2023-07-14_at_7.35.45_PM

How to set up and validate locally

Steps to reproduce

  1. Create a new project with the following files:
.gitlab-ci.yml
dependency_scanning:
  script:
    - echo "test failing dependencies"
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json

license_scanning:
  script:
    - echo "test failing dependencies"
  artifacts:
    reports:
      license_scanning: gl-license-scanning-report.json
gl-dependency-scanning-report.json
{
  "version": "15.0.0",
  "scan": {
    "analyzer": {
      "id": "gemnasium",
      "name": "Gemnasium",
      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
      "vendor": {
        "name": "GitLab"
      },
      "version": "4.0.2"
    },
    "scanner": {
      "id": "gemnasium",
      "name": "Gemnasium",
      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium",
      "vendor": {
        "name": "GitLab"
      },
      "version": "4.0.2"
    },
    "type": "dependency_scanning",
    "start_time": "2023-06-08T14:46:48",
    "end_time": "2023-06-08T14:46:53",
    "status": "success"
  },
  "dependency_files": [
    {
      "path": "BoloServices.JobFramework.Workflow.Activities/packages.lock.json",
      "package_manager": "nuget",
      "dependencies": [
        {
          "iid": 13,
          "dependency_path": [
            {
              "iid": 52
            },
            {
              "iid": 67
            },
            {
              "iid": 11
            }
          ],
          "package": {
            "name": "Microsoft.AspNetCore.Http"
          },
          "version": "2.1.1"
        },
        {
          "iid": 11,
          "package": {
            "name": "NLog.Web.AspNetCore"
          },
          "version": "4.9.0"
        },
        {
          "iid": 67,
          "package": {
            "name": "RSA.seahorse.Logging"
          },
          "version": "1.0.16"
        }
      ]
    }
  ],
  "vulnerabilities": [
    {
      "id": "853e5bd2f40053a75ff373dcf1a4862db71cf621c08dbf253c5562c5ac75bb7f",
      "name": "Cookie parsing failure",
      "description": "A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.",
      "cve": "",
      "severity": "High",
      "solution": "Upgrade to version 2.1.22 or above.",
      "location": {
        "file": "BoloServices.JobFramework.Workflow.Activities/packages.lock.json",
        "dependency": {
          "iid": 13,
          "package": {
            "name": "Microsoft.AspNetCore.Http"
          },
          "version": "2.1.1"
        }
      },
      "identifiers": [
        {
          "type": "gemnasium",
          "name": "Gemnasium-744de9f2-7edb-4e53-976c-d20777c420f8",
          "value": "744de9f2-7edb-4e53-976c-d20777c420f8",
          "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/nuget/Microsoft.AspNetCore.Http/CVE-2020-1045.yml"
        }
      ],
      "links": [
        {
          "url": "https://github.com/advisories/GHSA-hxrm-9w7p-39cc"
        }
      ],
      "details": {
        "introduced_by_package": {
          "type": "text",
          "name": "Introduced by Package",
          "value": "BoloServices.jobframework:"
        },
        "shortest_path": {
          "type": "list",
          "name": "Shortest Path",
          "items": [
            {
              "type": "text",
              "value": "BoloServices.jobframework:"
            }
          ]
        },
        "vulnerable_package": {
          "type": "text",
          "name": "Vulnerable Package",
          "value": "Microsoft.AspNetCore.Http:2.1.1"
        }
      }
    }
  ]
}
gl-license-scanning-report.json
{
    "version": "2.1",
    "licenses": [
      {
        "id": "Apache-2.0",
        "name": "Apache License 2.0",
        "url": "https://opensource.org/licenses/Apache-2.0"
      }
    ],
    "dependencies": [
      {
        "name": "AWS.Logger.AspNetCore",
        "version": "2.1.1",
        "package_manager": "nuget",
        "path": "Bolo.JobEngine.sln",
        "licenses": [
          "https://aws.amazon.com/apache-2-0/"
        ]
      },
      {
        "name": "AWS.Logger.Core",
        "version": "1.5.1",
        "package_manager": "nuget",
        "path": "Bolo.JobEngine.sln",
        "licenses": [
          "https://aws.amazon.com/apache-2-0/"
        ]
      }
    ]
  }
  1. Trigger a new pipeline on the default branch
  2. Ping http://<HOST>/<PROJECT_FULL_PATH>/-/dependencies.json

The following error will be triggered:

NoMethodError at /root/test-dependency/-/dependencies.json
undefined method `fetch' for nil:NilClass
                  next ancestor unless ancestor.fetch(:iid, false) # `block (2 levels) in augment_ancestors!': undefined method `fetch' for nil:NilClass 
  1. With the fix, we should not see the NoMethodError.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #414559 (closed)

Edited by Bala Kumar

Merge request reports

Loading