Commit ce01c085 authored by Fabien Catteau's avatar Fabien Catteau Committed by Tetiana Chupryna

Fix packager reported by Gemnasium for Gradle and Pipenv projects

parent 7aca0b8a
...@@ -34,7 +34,7 @@ GET /projects/:id/dependencies?package_manager=yarn,bundler ...@@ -34,7 +34,7 @@ GET /projects/:id/dependencies?package_manager=yarn,bundler
| Attribute | Type | Required | Description | | Attribute | Type | Required | Description |
| ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding). | | `id` | integer/string | yes | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding). |
| `package_manager` | string array | no | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `maven`, `npm`, `nuget`, `pip`, `yarn`, or `sbt`. | | `package_manager` | string array | no | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `gradle`, `maven`, `npm`, `nuget`, `pip`, `pipenv`, `yarn`, `sbt`, or `setuptools`. |
```shell ```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/dependencies" curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/dependencies"
......
...@@ -4,14 +4,14 @@ module Security ...@@ -4,14 +4,14 @@ module Security
class DependencyListService class DependencyListService
SORT_BY_VALUES = %w(name packager severity).freeze SORT_BY_VALUES = %w(name packager severity).freeze
SORT_VALUES = %w(asc desc).freeze SORT_VALUES = %w(asc desc).freeze
FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt).freeze FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt gradle pipenv setuptools).freeze
FILTER_VALUES = %w(all vulnerable).freeze FILTER_VALUES = %w(all vulnerable).freeze
# @param pipeline [Ci::Pipeline] # @param pipeline [Ci::Pipeline]
# @param [Hash] params to sort and filter dependencies # @param [Hash] params to sort and filter dependencies
# @option params ['asc', 'desc'] :sort ('asc') Order # @option params ['asc', 'desc'] :sort ('asc') Order
# @option params ['name', 'packager', 'severity'] :sort_by ('name') Field to sort # @option params ['name', 'packager', 'severity'] :sort_by ('name') Field to sort
# @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip'] :package_manager ('bundler') Field to filter # @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip', 'conan', 'go', 'nuget', 'sbt', 'gradle', 'pipenv', 'setuptools'] :package_manager ('bundler') Field to filter
# @option params ['all', 'vulnerable'] :filter ('all') Field to filter # @option params ['all', 'vulnerable'] :filter ('all') Field to filter
def initialize(pipeline:, params: {}) def initialize(pipeline:, params: {})
@pipeline = pipeline @pipeline = pipeline
...@@ -37,8 +37,15 @@ module Security ...@@ -37,8 +37,15 @@ module Security
def filter_by_package_manager(collection) def filter_by_package_manager(collection)
return collection unless params[:package_manager] return collection unless params[:package_manager]
# ensure that package_manager is an Array
# otherwise #include? is true when dependency[:package_manager]
# begins with params[:package_manager] (String),
# even if the requested package manager isn't a match
package_managers = params[:package_manager]
package_managers = [package_managers] unless params[:package_manager].is_a?(Array)
collection.select do |dependency| collection.select do |dependency|
params[:package_manager].include?(dependency[:package_manager]) package_managers.include?(dependency[:package_manager])
end end
end end
......
...@@ -54,6 +54,12 @@ module Gitlab ...@@ -54,6 +54,12 @@ module Gitlab
'C# (Nuget)' 'C# (Nuget)'
when 'go' when 'go'
'Go (Go modules)' 'Go (Go modules)'
when 'gradle'
'Java (Gradle)'
when 'pipenv'
'Python (Pipenv)'
when 'setuptools'
'Python (Setuptools)'
else else
package_manager package_manager
end end
......
...@@ -92,17 +92,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do ...@@ -92,17 +92,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:packager, :expected) do where(:packager, :expected) do
'bundler' | 'Ruby (Bundler)' 'bundler' | 'Ruby (Bundler)'
'yarn' | 'JavaScript (Yarn)' 'yarn' | 'JavaScript (Yarn)'
'npm' | 'JavaScript (npm)' 'npm' | 'JavaScript (npm)'
'pip' | 'Python (pip)' 'pip' | 'Python (pip)'
'maven' | 'Java (Maven)' 'maven' | 'Java (Maven)'
'composer' | 'PHP (Composer)' 'composer' | 'PHP (Composer)'
'conan' | 'C/C++ (Conan)' 'conan' | 'C/C++ (Conan)'
'sbt' | 'Scala (Sbt)' 'sbt' | 'Scala (Sbt)'
'nuget' | 'C# (Nuget)' 'nuget' | 'C# (Nuget)'
'go' | 'Go (Go modules)' 'go' | 'Go (Go modules)'
'' | '' 'gradle' | 'Java (Gradle)'
'pipenv' | 'Python (Pipenv)'
'setuptools' | 'Python (Setuptools)'
'' | ''
end end
with_them do with_them do
......
...@@ -38,8 +38,6 @@ RSpec.describe Security::DependencyListService do ...@@ -38,8 +38,6 @@ RSpec.describe Security::DependencyListService do
context 'with params' do context 'with params' do
context 'filtered by package_managers' do context 'filtered by package_managers' do
using RSpec::Parameterized::TableSyntax
before do before do
dependencies = described_class::FILTER_PACKAGE_MANAGERS_VALUES.map do |package_manager| dependencies = described_class::FILTER_PACKAGE_MANAGERS_VALUES.map do |package_manager|
build(:dependency, package_manager: package_manager) build(:dependency, package_manager: package_manager)
...@@ -61,6 +59,14 @@ RSpec.describe Security::DependencyListService do ...@@ -61,6 +59,14 @@ RSpec.describe Security::DependencyListService do
end end
end end
context 'with all package managers' do
let(:params) { { package_manager: described_class::FILTER_PACKAGE_MANAGERS_VALUES } }
it 'returns all items' do
expect(subject.size).to eq(described_class::FILTER_PACKAGE_MANAGERS_VALUES.size)
end
end
context 'with invalid package manager' do context 'with invalid package manager' do
let(:params) { { package_manager: 'package_manager' } } let(:params) { { package_manager: 'package_manager' } }
......
...@@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning: ...@@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
# Stop reporting Gradle as "maven".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
...@@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning: ...@@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning:
# override the analyzer image with a custom value. This may be subject to change or # override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases. # breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment