Fix report comparison for DS w/o dependency_path (!154) · Merge requests · GitLab.org / security-products / ci-templates

Adam Cohen requested to merge fix-broken-compare-reports-script into master Sep 18, 2020

What does this MR do?

This MR adds a fix for the issue reported here that was introduced by Update compare script to work with empty dependency_path values:

The compare_reports.sh script was exiting with an error when a dependency scanning report without a dependency_path key was being compared, for example:

  "dependency_files": [
    {
      "path": "api/build.gradle",
      "package_manager": "maven",
      "dependencies": [
        {
          "package": {
            "name": "asm/asm"
          },
          "version": "3.3"
        },
        {
          "package": {
            "name": "asm/asm-commons"
          },
          "version": "3.3"
        },

meanwhile, it would function properly if the dependency_path key was present:

  "dependency_files": [
    {
      "path": "src/web.api/packages.lock.json",
      "package_manager": "nuget",
      "dependencies": [
        {
          "iid": 12,
          "dependency_path": [
            {
              "iid": 27
            }
          ],
          "package": {
            "name": "Antlr3.Runtime"
          },
          "version": "3.5.1"
        },
        {
          "iid": 35,
          "dependency_path": [
            {
              "iid": 27
            }
          ],
          "package": {
            "name": "Iesi.Collections"
          },
          "version": "4.0.4"
        }

The fix is to only modify the dependency_path value if an iid field is present

What are the relevant issue numbers?

gitlab-org/gitlab#229840 (closed)

Does this MR meet the acceptance criteria?

Tests added for this feature/bug

Fix report comparison for DS w/o dependency_path

What does this MR do?

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Merge request reports