Merge branch 'sh-handle-bad-dependency-scanner-input' into 'master'

Gracefully handle bad dependency scanner input See merge request gitlab-org/gitlab!76597

Merge branch 'sh-handle-bad-dependency-scanner-input' into 'master'
Gracefully handle bad dependency scanner input See merge request gitlab-org/gitlab!76597
a4e12991 · Tetiana Chupryna · a72befda · fc91a09e · a4e12991 · a4e12991
Commit a4e12991 authored Dec 10, 2021 by Tetiana Chupryna
2 changed files
--- a/ee/lib/gitlab/ci/parsers/security/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/dependency_list.rb
@@ -19,7 +19,11 @@ module Gitlab

          def parse_dependency_names(report_data, report)
            report_data.fetch('dependency_files', []).each do |file|
-              file['dependencies'].each do |dependency|
+              dependencies = file['dependencies']
+
+              next unless dependencies.is_a?(Array)
+
+              dependencies.each do |dependency|
                report.add_dependency(formatter.format(dependency, file['package_manager'], file['path']))
              end
            end

--- a/ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
@@ -11,12 +11,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
  let_it_be(:pipeline) { create :ee_ci_pipeline, :with_dependency_list_report }

  describe '#parse!' do
-    before do
-      artifact.each_blob do |blob|
-        parser.parse!(blob, report)
-      end
-    end
-
    context 'with dependency_list artifact' do
      let(:artifact) { pipeline.job_artifacts.last }

@@ -56,6 +50,12 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do

      let(:artifact) { pipeline.job_artifacts.last }

+      before do
+        artifact.each_blob do |blob|
+          parser.parse!(blob, report)
+        end
+      end
+
      it 'does not causes N+1 query' do
        control_count = ActiveRecord::QueryRecorder.new do
          artifact.each_blob do |blob|
@@ -96,6 +96,45 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
        end
      end
    end
+
+    context 'with null dependencies' do
+      let(:json_data) do
+        <<~JSON
+        {
+          "version": "3.0.0",
+          "vulnerabilities": [],
+          "remediations": [],
+          "dependency_files": [
+            {
+              "path": "package-lock.json",
+              "package_manager": "npm",
+              "dependencies": null
+            }
+          ],
+          "scan": {
+            "scanner": {
+              "id": "",
+              "name": "",
+              "vendor": {
+                "name": ""
+              },
+              "version": ""
+            },
+            "type": "",
+            "start_time": "2021-12-10T15:32:33",
+            "end_time": "2021-12-10T15:32:54",
+            "status": "success"
+          }
+        }
+        JSON
+      end
+
+      it 'ignores null dependencies' do
+        parser.parse!(json_data, report)
+
+        expect(report.dependencies.size).to eq(0)
+      end
+    end
  end

  describe '#parse_licenses!' do