Commit ce01c085 authored by Fabien Catteau's avatar Fabien Catteau Committed by Tetiana Chupryna

Fix packager reported by Gemnasium for Gradle and Pipenv projects

parent 7aca0b8a
......@@ -34,7 +34,7 @@ GET /projects/:id/dependencies?package_manager=yarn,bundler
| Attribute | Type | Required | Description |
| ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding). |
| `package_manager` | string array | no | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `maven`, `npm`, `nuget`, `pip`, `yarn`, or `sbt`. |
| `package_manager` | string array | no | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `gradle`, `maven`, `npm`, `nuget`, `pip`, `pipenv`, `yarn`, `sbt`, or `setuptools`. |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/dependencies"
......
......@@ -4,14 +4,14 @@ module Security
class DependencyListService
SORT_BY_VALUES = %w(name packager severity).freeze
SORT_VALUES = %w(asc desc).freeze
FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt).freeze
FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt gradle pipenv setuptools).freeze
FILTER_VALUES = %w(all vulnerable).freeze
# @param pipeline [Ci::Pipeline]
# @param [Hash] params to sort and filter dependencies
# @option params ['asc', 'desc'] :sort ('asc') Order
# @option params ['name', 'packager', 'severity'] :sort_by ('name') Field to sort
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip'] :package_manager ('bundler') Field to filter
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip', 'conan', 'go', 'nuget', 'sbt', 'gradle', 'pipenv', 'setuptools'] :package_manager ('bundler') Field to filter
# @option params ['all', 'vulnerable'] :filter ('all') Field to filter
def initialize(pipeline:, params: {})
@pipeline = pipeline
......@@ -37,8 +37,15 @@ module Security
def filter_by_package_manager(collection)
return collection unless params[:package_manager]
# ensure that package_manager is an Array
# otherwise #include? is true when dependency[:package_manager]
# begins with params[:package_manager] (String),
# even if the requested package manager isn't a match
package_managers = params[:package_manager]
package_managers = [package_managers] unless params[:package_manager].is_a?(Array)
collection.select do |dependency|
params[:package_manager].include?(dependency[:package_manager])
package_managers.include?(dependency[:package_manager])
end
end
......
......@@ -54,6 +54,12 @@ module Gitlab
'C# (Nuget)'
when 'go'
'Go (Go modules)'
when 'gradle'
'Java (Gradle)'
when 'pipenv'
'Python (Pipenv)'
when 'setuptools'
'Python (Setuptools)'
else
package_manager
end
......
......@@ -92,17 +92,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
using RSpec::Parameterized::TableSyntax
where(:packager, :expected) do
'bundler' | 'Ruby (Bundler)'
'yarn' | 'JavaScript (Yarn)'
'npm' | 'JavaScript (npm)'
'pip' | 'Python (pip)'
'maven' | 'Java (Maven)'
'composer' | 'PHP (Composer)'
'conan' | 'C/C++ (Conan)'
'sbt' | 'Scala (Sbt)'
'nuget' | 'C# (Nuget)'
'go' | 'Go (Go modules)'
'' | ''
'bundler' | 'Ruby (Bundler)'
'yarn' | 'JavaScript (Yarn)'
'npm' | 'JavaScript (npm)'
'pip' | 'Python (pip)'
'maven' | 'Java (Maven)'
'composer' | 'PHP (Composer)'
'conan' | 'C/C++ (Conan)'
'sbt' | 'Scala (Sbt)'
'nuget' | 'C# (Nuget)'
'go' | 'Go (Go modules)'
'gradle' | 'Java (Gradle)'
'pipenv' | 'Python (Pipenv)'
'setuptools' | 'Python (Setuptools)'
'' | ''
end
with_them do
......
......@@ -38,8 +38,6 @@ RSpec.describe Security::DependencyListService do
context 'with params' do
context 'filtered by package_managers' do
using RSpec::Parameterized::TableSyntax
before do
dependencies = described_class::FILTER_PACKAGE_MANAGERS_VALUES.map do |package_manager|
build(:dependency, package_manager: package_manager)
......@@ -61,6 +59,14 @@ RSpec.describe Security::DependencyListService do
end
end
context 'with all package managers' do
let(:params) { { package_manager: described_class::FILTER_PACKAGE_MANAGERS_VALUES } }
it 'returns all items' do
expect(subject.size).to eq(described_class::FILTER_PACKAGE_MANAGERS_VALUES.size)
end
end
context 'with invalid package manager' do
let(:params) { { package_manager: 'package_manager' } }
......
......@@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
# Stop reporting Gradle as "maven".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
......@@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment