### Summary The Gemnasium analyzer generates invalid Dependency Scanning (DS) reports when processing Nuget `packages.lock.json` files with `Project` dependencies that don't have a `resolved` version. That's because the DS report format requires a `version`. ### Steps to reproduce Running a security scan on a clone of this project will show the failure in the Pipeline → Security tab. https://gitlab.com/gitlab-gold/duncan/gitlabdepscanrepro/-/pipelines/810354701/security ### Example Project https://gitlab.com/gitlab-gold/duncan/gitlabdepscanrepro/ https://gitlab.com/gitlab-gold/duncan/gitlabdepscanrepro/-/blob/a886904190472f3ba9e226d09587d16990f81df9/packages.lock.json#L12 ```json { "version": 1, "dependencies": { ".NETFramework,Version=v4.6.2": { "Newtonsoft.Json": { "type": "Direct", "requested": "[13.0.3, )", "resolved": "13.0.3", "contentHash": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ==" }, "aclasslibrary": { "type": "Project" } }, ".NETFramework,Version=v4.6.2/win": {}, ".NETFramework,Version=v4.6.2/win-x64": {}, ".NETFramework,Version=v4.6.2/win-x86": {} } } ``` ### What is the current *bug* behavior? The parser will report an error processing the report because `[Schema] property '/dependency_files/0/dependencies/1' is missing required keys: version` ### What is the expected *correct* behavior? The `Package.lock.json` doesn't have a `version` for dependencies of type `project`. The report should not fail with a parse error when the `version` field is missing. ### Relevant logs and/or screenshots  ```Error parsing security reports The following security reports contain one or more vulnerability findings that could not be parsed and were not recorded. To investigate a report, download the artifacts in the job output. Ensure the security report conforms to the relevant •[Schema] property '/dependency_files/0/dependencies/1' is missing required keys: version ``` Customer reported this issue in a [Confidential Support ticket](https://gitlab.zendesk.com/agent/tickets/386021) ### Output of checks `GitLab Enterprise Edition 15.10.0-pre ef5c8d18a7b` ### Workarounds Alter the Dependency Scanning report before its uploaded by the `gemnasium-dependency_scanning` CI job, and remove `.dependency_files[].dependencies` objects such as `version` is empty. This can be implemented using `jq`, and run in the `after_script` of the CI job. ### Possible fixes - Remove `omitempty` from `json` field options for [`Dependency.Version`](https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/91a79a76d52c52f3775f65e097167341f250932c/vulnerability.go#L308). - Skip `Project` dependencies when parsing Nuget lock files. See [nuget.go](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/2bebdcc0e383d71ac00678ea88e91a9a19f0f6ff/scanner/parser/nuget/nuget.go#L116). - Skip `Project` dependencies that don't have `resolved` version. - Update the report schema to allow empty `version` fields in `dependency_files[].dependencies[]`. - Output a non-empty `version` when the version is unknown, to make the report valid. ### Proposal Remove `omitempty` from `json` field options for `Dependency.Version`, so that `.dependency_files[].dependencies[].version` field of report (output) is an empty string when the `resolved` field of the lock file (input) is empty or does not exist. The JSON schema accepts empty strings: https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/3b3b76e83722a97181f52f473a80f2f5713591e6/dist/dependency-scanning-report-format.json#L999 ### Implementation plan - [ ] Update `report` project. - Remove `omitempty` from `json` field options for [`Dependency.Version`](https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/91a79a76d52c52f3775f65e097167341f250932c/vulnerability.go#L308). - Update the corresponding [unit tests](https://gitlab.com/gitlab-org/security-products/analyzers/report/-/blob/91a79a76d52c52f3775f65e097167341f250932c/report_test.go#L179). - Release new version. - [ ] Update Gemnasium - Upgrade `report` module. - Optional: Add integration test. - Release new version.