<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "type::bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=type::bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary <!-- Summarize the bug encountered concisely. --> After running Dependency scanning in a Javascript project with [local dependencies](https://docs.npmjs.com/cli/v7/configuring-npm/package-json#local-paths) defined in the `package-lock.json`, a report validation error appears in the security tab of the relevant pipeline: ```plaintext [Schema] property '/dependency_files/0/dependencies/0' is missing required keys: version. ``` This occurs with schema model 15 but the error does not appear in schema model 14. This is due to the fact that schema versions `15.x.x` [require](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v15.0.0/dist/dependency-scanning-report-format.json#L891) a `version` e.g `1.0.0` to be specified for dependencies in the `package-lock.json` file, which will be subsequently be included in the `gl-dependency-scan-report.json` artifact. This field [was not explicitly required](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/v14.0.4/dist/dependency-scanning-report-format.json#L917) in schema version `14.x.x` This was brought up in a [Zendesk Ticket - internal only](https://gitlab.zendesk.com/agent/tickets/375730) ### Steps to reproduce <!-- Describe how one can reproduce the issue - this is very important. Please use an ordered list. --> 1. Create a folder locally with a `package.json` file. 2. In the `package.json` file, define a dependency in this format: ```plaintext "dependencies": { "mycoolmod": "file:../foo/bar" } ``` 3. Generate the `package-lock.json` e.g by running `npm install` in the directory where the `package.json` file is located 4. Push the folder to GitLab and [configure Dependency scanning](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuration) 5. Once the pipeline is complete, check the security tab. You will find a report validation error. ### Example Project <!-- If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report. If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version. --> https://gitlab.com/gitlab-gold/cmutua-security-group/dependency-scanning-tests/local-dependency-nodejs-failure-1/-/pipelines/794771133/security ### What is the current _bug_ behavior? <!-- Describe what actually happens. --> The Security tab shows a report validation error and thus such dependencies are not included in the pipeline security report and the project vulnerability report as well. ### What is the expected _correct_ behavior? <!-- Describe what you should see instead. --> Local dependencies without a version number should be handled correctly by gemnasium to avoid report validation errors. ### Relevant logs and/or screenshots <!-- Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise. --> Error in the UI:  The `gl-dependency-scanning-report.json` has the entry for such dependencies as: ```plaintext "dependency_files": [ { "path": "package-lock.json", "package_manager": "npm", "dependencies": [ { "package": { "name": "mycoolmod" } }, .... ``` An entry that has a version should look like this: ```plaintext "dependency_files": [ { "path": "package-lock.json", "package_manager": "npm", "dependencies": [ { "package": { "name": "mycoolmod" }, "version": "1.1.2" }, .... ``` ### Output of checks <!-- If you are reporting a bug on GitLab.com, uncomment below --> <!-- This bug happens on GitLab.com --> <!-- /label ~"reproduced on GitLab.com" --> #### Results of GitLab environment info <!-- Input any relevant GitLab environment information if needed. --> <details> <summary>Expand for output related to GitLab environment info</summary> <pre>(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:env:info\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\`)</pre> </details> #### Results of GitLab application Check <!-- Input any relevant GitLab application check information if needed. --> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Workarounds #### Revert to v14 Use the `DS_SCHEMA_VERSION` CI/CD variable to pin to an earlier version of the schema that is used for report validation. ```plaintext gemnasium-dependency_scanning: variables: DS_SCHEMA_MODEL: 14 ``` **Please note that this is a temporary work around because** [**schemas version 14.x.x will be deprecated**](https://docs.gitlab.com/ee/update/deprecations#security-report-schemas-version-14xx) **in GitLab Version 16.** #### Remove dependencies from report Add an `after_script` to the `gemnasium-dependency_scanning` job to remove dependencies that don't have a version from `dependency_files`. This can be implemented using `jq` for instance. ### Possible fixes - Change the report format to allow unknown versions. - **Omit dependencies** that don't have a version, to have a valid report. https://gitlab.com/gitlab-org/gitlab/-/issues/393849#note_1376533316 - Update the `gemnasium` parser to use a dummy version for local dependencies, such as `local`. ### Proposal Omit dependencies that don't have a version, to have a valid report. https://gitlab.com/gitlab-org/gitlab/-/issues/393849#note_1376533316 See https://gitlab.com/gitlab-org/gitlab/-/issues/393849#note_1303327841 <!-- If you can, link to the line of code that might be responsible for the problem. --> ### Implementation Plan * [x] Update the `FileConverter.DependencyFile` function to exclude any dependencies with a missing version.