Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ce01c085
Commit
ce01c085
authored
Nov 11, 2021
by
Fabien Catteau
Committed by
Tetiana Chupryna
Nov 11, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix packager reported by Gemnasium for Gradle and Pipenv projects
parent
7aca0b8a
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
45 additions
and
17 deletions
+45
-17
doc/api/dependencies.md
doc/api/dependencies.md
+1
-1
ee/app/services/security/dependency_list_service.rb
ee/app/services/security/dependency_list_service.rb
+10
-3
ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
.../gitlab/ci/parsers/security/formatters/dependency_list.rb
+6
-0
ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
...ab/ci/parsers/security/formatters/dependency_list_spec.rb
+14
-11
ee/spec/services/security/dependency_list_service_spec.rb
ee/spec/services/security/dependency_list_service_spec.rb
+8
-2
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
...b/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+6
-0
No files found.
doc/api/dependencies.md
View file @
ce01c085
...
...
@@ -34,7 +34,7 @@ GET /projects/:id/dependencies?package_manager=yarn,bundler
| Attribute | Type | Required | Description |
| ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
`id`
| integer/string | yes | The ID or
[
URL-encoded path of the project
](
index.md#namespaced-path-encoding
)
. |
|
`package_manager`
| string array | no | Returns dependencies belonging to specified package manager. Valid values:
`bundler`
,
`composer`
,
`conan`
,
`go`
,
`
maven`
,
`npm`
,
`nuget`
,
`pip`
,
`yarn`
, or
`sbt`
.
|
|
`package_manager`
| string array | no | Returns dependencies belonging to specified package manager. Valid values:
`bundler`
,
`composer`
,
`conan`
,
`go`
,
`
gradle`
,
`maven`
,
`npm`
,
`nuget`
,
`pip`
,
`pipenv`
,
`yarn`
,
`sbt`
, or
`setuptools`
.
|
```
shell
curl
--header
"PRIVATE-TOKEN: <your_access_token>"
"https://gitlab.example.com/api/v4/projects/4/dependencies"
...
...
ee/app/services/security/dependency_list_service.rb
View file @
ce01c085
...
...
@@ -4,14 +4,14 @@ module Security
class
DependencyListService
SORT_BY_VALUES
=
%w(name packager severity)
.
freeze
SORT_VALUES
=
%w(asc desc)
.
freeze
FILTER_PACKAGE_MANAGERS_VALUES
=
%w(bundler yarn npm maven composer pip conan go nuget sbt)
.
freeze
FILTER_PACKAGE_MANAGERS_VALUES
=
%w(bundler yarn npm maven composer pip conan go nuget sbt
gradle pipenv setuptools
)
.
freeze
FILTER_VALUES
=
%w(all vulnerable)
.
freeze
# @param pipeline [Ci::Pipeline]
# @param [Hash] params to sort and filter dependencies
# @option params ['asc', 'desc'] :sort ('asc') Order
# @option params ['name', 'packager', 'severity'] :sort_by ('name') Field to sort
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip'] :package_manager ('bundler') Field to filter
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip'
, 'conan', 'go', 'nuget', 'sbt', 'gradle', 'pipenv', 'setuptools'
] :package_manager ('bundler') Field to filter
# @option params ['all', 'vulnerable'] :filter ('all') Field to filter
def
initialize
(
pipeline
:,
params:
{})
@pipeline
=
pipeline
...
...
@@ -37,8 +37,15 @@ module Security
def
filter_by_package_manager
(
collection
)
return
collection
unless
params
[
:package_manager
]
# ensure that package_manager is an Array
# otherwise #include? is true when dependency[:package_manager]
# begins with params[:package_manager] (String),
# even if the requested package manager isn't a match
package_managers
=
params
[
:package_manager
]
package_managers
=
[
package_managers
]
unless
params
[
:package_manager
].
is_a?
(
Array
)
collection
.
select
do
|
dependency
|
pa
rams
[
:package_manager
]
.
include?
(
dependency
[
:package_manager
])
pa
ckage_managers
.
include?
(
dependency
[
:package_manager
])
end
end
...
...
ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
View file @
ce01c085
...
...
@@ -54,6 +54,12 @@ module Gitlab
'C# (Nuget)'
when
'go'
'Go (Go modules)'
when
'gradle'
'Java (Gradle)'
when
'pipenv'
'Python (Pipenv)'
when
'setuptools'
'Python (Setuptools)'
else
package_manager
end
...
...
ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
View file @
ce01c085
...
...
@@ -92,17 +92,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:packager
,
:expected
)
do
'bundler'
|
'Ruby (Bundler)'
'yarn'
|
'JavaScript (Yarn)'
'npm'
|
'JavaScript (npm)'
'pip'
|
'Python (pip)'
'maven'
|
'Java (Maven)'
'composer'
|
'PHP (Composer)'
'conan'
|
'C/C++ (Conan)'
'sbt'
|
'Scala (Sbt)'
'nuget'
|
'C# (Nuget)'
'go'
|
'Go (Go modules)'
''
|
''
'bundler'
|
'Ruby (Bundler)'
'yarn'
|
'JavaScript (Yarn)'
'npm'
|
'JavaScript (npm)'
'pip'
|
'Python (pip)'
'maven'
|
'Java (Maven)'
'composer'
|
'PHP (Composer)'
'conan'
|
'C/C++ (Conan)'
'sbt'
|
'Scala (Sbt)'
'nuget'
|
'C# (Nuget)'
'go'
|
'Go (Go modules)'
'gradle'
|
'Java (Gradle)'
'pipenv'
|
'Python (Pipenv)'
'setuptools'
|
'Python (Setuptools)'
''
|
''
end
with_them
do
...
...
ee/spec/services/security/dependency_list_service_spec.rb
View file @
ce01c085
...
...
@@ -38,8 +38,6 @@ RSpec.describe Security::DependencyListService do
context
'with params'
do
context
'filtered by package_managers'
do
using
RSpec
::
Parameterized
::
TableSyntax
before
do
dependencies
=
described_class
::
FILTER_PACKAGE_MANAGERS_VALUES
.
map
do
|
package_manager
|
build
(
:dependency
,
package_manager:
package_manager
)
...
...
@@ -61,6 +59,14 @@ RSpec.describe Security::DependencyListService do
end
end
context
'with all package managers'
do
let
(
:params
)
{
{
package_manager:
described_class
::
FILTER_PACKAGE_MANAGERS_VALUES
}
}
it
'returns all items'
do
expect
(
subject
.
size
).
to
eq
(
described_class
::
FILTER_PACKAGE_MANAGERS_VALUES
.
size
)
end
end
context
'with invalid package manager'
do
let
(
:params
)
{
{
package_manager:
'package_manager'
}
}
...
...
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
View file @
ce01c085
...
...
@@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
# Stop reporting Gradle as "maven".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA
:
"
false"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
...
...
@@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON
:
"
false"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment