Skip to content

G
gitlab-ce
Commit ce01c085 authored by Fabien Catteau's avatar Fabien Catteau Committed by Tetiana Chupryna
Browse files
Options

Fix packager reported by Gemnasium for Gradle and Pipenv projects

parent 7aca0b8a
Show whitespace changes
Inline Side-by-side
Showing with 45 additions and 17 deletions
doc/api/dependencies.md
View file @ ce01c085
......@@ -34,7 +34,7 @@ GET /projects/:id/dependencies?package_manager=yarn,bundler
| Attribute | Type | Required | Description |
| ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding). |
| `package_manager` | string array | no | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `maven`, `npm`, `nuget`, `pip`, `yarn`, or `sbt`. |
| `package_manager` | string array | no | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `gradle`, `maven`, `npm`, `nuget`, `pip`, `pipenv`, `yarn`, `sbt`, or `setuptools`. |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/dependencies"
......
ee/app/services/security/dependency_list_service.rb
View file @ ce01c085
......@@ -4,14 +4,14 @@ module Security
class DependencyListService
SORT_BY_VALUES = %w(name packager severity).freeze
SORT_VALUES = %w(asc desc).freeze
FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt).freeze
FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt gradle pipenv setuptools).freeze
FILTER_VALUES = %w(all vulnerable).freeze
# @param pipeline [Ci::Pipeline]
# @param [Hash] params to sort and filter dependencies
# @option params ['asc', 'desc'] :sort ('asc') Order
# @option params ['name', 'packager', 'severity'] :sort_by ('name') Field to sort
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip'] :package_manager ('bundler') Field to filter
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip', 'conan', 'go', 'nuget', 'sbt', 'gradle', 'pipenv', 'setuptools'] :package_manager ('bundler') Field to filter
# @option params ['all', 'vulnerable'] :filter ('all') Field to filter
def initialize(pipeline:, params: {})
@pipeline = pipeline
......@@ -37,8 +37,15 @@ module Security
def filter_by_package_manager(collection)
return collection unless params[:package_manager]
# ensure that package_manager is an Array
# otherwise #include? is true when dependency[:package_manager]
# begins with params[:package_manager] (String),
# even if the requested package manager isn't a match
package_managers = params[:package_manager]
package_managers = [package_managers] unless params[:package_manager].is_a?(Array)
collection.select do |dependency|
params[:package_manager].include?(dependency[:package_manager])
package_managers.include?(dependency[:package_manager])
end
end
......
ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
View file @ ce01c085
......@@ -54,6 +54,12 @@ module Gitlab
'C# (Nuget)'
when 'go'
'Go (Go modules)'
when 'gradle'
'Java (Gradle)'
when 'pipenv'
'Python (Pipenv)'
when 'setuptools'
'Python (Setuptools)'
else
package_manager
end
......
ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
View file @ ce01c085
......@@ -102,6 +102,9 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
'sbt' | 'Scala (Sbt)'
'nuget' | 'C# (Nuget)'
'go' | 'Go (Go modules)'
'gradle' | 'Java (Gradle)'
'pipenv' | 'Python (Pipenv)'
'setuptools' | 'Python (Setuptools)'
'' | ''
end
......
ee/spec/services/security/dependency_list_service_spec.rb
View file @ ce01c085
......@@ -38,8 +38,6 @@ RSpec.describe Security::DependencyListService do
context 'with params' do
context 'filtered by package_managers' do
using RSpec::Parameterized::TableSyntax
before do
dependencies = described_class::FILTER_PACKAGE_MANAGERS_VALUES.map do |package_manager|
build(:dependency, package_manager: package_manager)
......@@ -61,6 +59,14 @@ RSpec.describe Security::DependencyListService do
end
end
context 'with all package managers' do
let(:params) { { package_manager: described_class::FILTER_PACKAGE_MANAGERS_VALUES } }
it 'returns all items' do
expect(subject.size).to eq(described_class::FILTER_PACKAGE_MANAGERS_VALUES.size)
end
end
context 'with invalid package manager' do
let(:params) { { package_manager: 'package_manager' } }
......
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
View file @ ce01c085
......@@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
# Stop reporting Gradle as "maven".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
......@@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7