DependencyScanning - Maven + GitLab Package Repository

Hi all!
I’ve a project who uses Gitlab package registry to host some custom maven libs.
I want to use Dependency Scanning in my pipeline, which I’m enabling as follows:

include:

• template: Jobs/SAST.latest.gitlab-ci.yml
• template: Jobs/Secret-Detection.latest.gitlab-ci.yml
• template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml

When my pipeline runs, the gemnasium job fails because it didn’t find my custom libs.

Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Could not find artifact com.xxx:xxxx:jar:1.0.0 in gitlab-maven (https://gitlab.com/api/v4/groups/######/-/packages/maven)
My guess is: the gemnasium job doesn’t know how to locate that lib, so I thought the solution maybe pass as an argument the ci_settings.xml file, but I’m unable to do so.
Any thought would be very appreciated.

Thanks!

I’ve found my error!
To override the default behaviour of the job, you must add variables, declaring exactly the job’s name, in this case “gemnasium-maven-dependency_scanning”. The variable I’ve added was MAVEN_CLI_OPTS, with value “–settings ci_settings.xml”

That’s all!

Thanks for sharing your solution here for anyone else who runs into this, @marcosp !

@marcosp can you share your ci_settings.xml? I’m using something like this one here ci_settings.xml · master · GitLab-examples / maven / simple-maven-dep · GitLab and while my regular build jobs work the dependency scanning fails when trying to access the private repo.

Hi! Sure:

<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
  <servers>
    <server>
      <id>gitlab-maven</id>
      <configuration>
        <httpHeaders>
          <property>
            <name>Job-Token</name>
            <value>${CI_JOB_TOKEN}</value>
          </property>
        </httpHeaders>
      </configuration>
    </server>
  </servers>
</settings>

One additional piece of information:
There’s the config on my pipeline (gemnasium cutomization section):

include:
  - template: Jobs/SAST.latest.gitlab-ci.yml
  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
gemnasium-maven-dependency_scanning:
#gemnasium-dependency_scanning:
  variables:
    SECURE_LOG_LEVEL: debug
    DS_JAVA_VERSION: 11
    MAVEN_CLI_OPTS: "-DskipTests --batch-mode --settings ci_settings.xml"

Ok, thx. I think just I needed to add the project to the allowlist for CI_JOB_TOKEN to work.

Pls let me know if it works!
My configuration maybe a little bit different, because my package registry isn’t at project level, but a group level.

I’m using a group level registry too. I got it to work with either custom deploy tokens (although scope is still unclear as it’s supposed to work with Reporter but I could not get it to work with Developer, only Owner worked) or allowlisting projects that access the registry. I’m guessing you don’t have this enabled then

image1068×204 13.5 KB

No, I didn’t enable that flag yet.
That flag applies between projects, but it also applies to groups?
'cause my use case is:
MVN Build on project consumes library hosted on package registry located on root group.

Groups will have their access limited. See Configure Job Token scope at group level (#342842) · Issues · GitLab.org / GitLab · GitLab

Thanks Tomek!
For now, my solution implements a Deploy Token creted at group level