ERROR license_scanning

michaelm-88 · July 26, 2023, 5:00pm

Hi all,

I hope you’re doing well. I am currently working on a project where we have integrated GitLab CI/CD pipelines for automating various tasks, including license scanning. However, I am facing an issue with the license_scanning job, and I could really use some assistance from the community.

Here’s the error I am encountering:

$ cat <<EOF> "$SETUP_CMD" # collapsed multi-line command
$ /run.sh analyze .
Selecting previously unselected package asdf.
(Reading database ... 20275 files and directories currently installed.)
Preparing to unpack .../asdf_0.7.8-1_amd64.deb ...
Unpacking asdf (0.7.8-1) ...
Setting up asdf (0.7.8-1) ...
Running '/opt/gitlab/custom_setup.sh' to install project dependencies…
You must specify a name and a version to install
Unknown release: openjdk-
/opt/gitlab/custom_setup.sh: line 6: mvn: command not found
Uploading artifacts for failed job
00:00
Uploading artifacts...
WARNING: gl-license-scanning-report.json: no matching files 
ERROR: No files to upload                          
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

I have included the Security/License-Scanning.gitlab-ci.yml template in my .gitlab-ci.yml file, and the license_scanning job is defined with specific settings for license scanning.

Here’s the relevant part of my .gitlab-ci.yml:

yamlCopy code

include:
  - template: Security/License-Scanning.gitlab-ci.yml

license_scanning:
  stage: test
  tags:
    - aker_internal
  needs:
    - Version updates - compile version
  dependencies: []
  variables:
    ASDF_JAVA_VERSION: openjdk-$CI_JAVA_RELEASE
    ASDF_MAVEN_VERSION: $CI_MAVEN_VERSION
    LM_JAVA_VERSION: $ASDF_JAVA_VERSION
    LICENSE_FINDER_CLI_OPTS: '--recursive'
    MAVEN_OPTS: ""
    MAVEN_CLI_OPTS: "-DskipTests --batch-mode -ntp"
    SETUP_CMD: "/opt/gitlab/custom_setup.sh"
  before_script:
    - |-
      cat <<EOF> "$SETUP_CMD"
      # Install the versions of Maven and Java we use
      asdf install maven $ASDF_MAVEN_VERSION
      asdf install java $ASDF_JAVA_VERSION
      # This is to workaround issue where a GitLab pipeline tries to download our modules from public repositories
      # which does not happen when running the container outside of a pipeline:
      mvn install ${MAVEN_CLI_OPTS} -Dmaven.test.skip=true -f "$MAVEN_ROOT" ${MAVEN_SETTINGS_FILE:+-s "$MAVEN_ROOT/$MAVEN_SETTINGS_FILE"}
      EOF
      chmod +x "$SETUP_CMD"
  rules:
    - !reference [.workflow_rules, standard_workflow]

I suspect that there might be an issue with the custom setup or the availability of Maven (mvn) during the job execution. The job seems to fail when trying to install the project dependencies.

If anyone has encountered a similar problem or has experience with GitLab CI/CD and license scanning, your insights and suggestions would be greatly appreciated. I’m open to any ideas or potential solutions to resolve this issue.

Thank you all for your time and support!

Best regards,

dnsmichi · July 26, 2023, 8:46pm

It seems that the variable that specifies the openjdk version, has an empty value.

ASDF_JAVA_VERSION: openjdk-$CI_JAVA_RELEASE

Where is CI_JAVA_RELEASE defined?

The same error seems to apply for the maven variable, leading to a silent asdf install error, without installing anything.

michaelm-88 · July 27, 2023, 8:17am

Hi @dnsmichi
these are variables from Gitlab i think , it is no into my env variable , was working till last week

dnsmichi · July 27, 2023, 9:04am

Predefined CI/CD variables do not include

CI_JAVA_RELEASE
CI_MAVEN_VERSION

Looking at the included template

lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml · master · GitLab.org / GitLab · GitLab was moved to lib/gitlab/ci/templates/Jobs/License-Scanning.gitlab-ci.yml · master · GitLab.org / GitLab · GitLab I do not see the variables in the included template. Suggest checking the pipeline editor tab view full configuration to inspect whether the variables are inherited and set somewhere else.

If not in the CI/CD configuration files, the variables might be configured in the CI/CD settings. Maybe these variables are limited in their scope, i.e. they are protected and only available on protected branches. When the pipeline is triggered from a feature branch or MR, the variables are not available, thus generating the errors you see.

Which GitLab version is involved (add /help to the main instance URL), and how is GitLab installed (self-managed: Omnibus packages, Docker, Helm chart, etc. or GitLab.com SaaS).

gitlab-greg · July 27, 2023, 6:47pm

The license_scanning job and License-Scanning.gitlab-ci.yml CI template was deprecated in GitLab 15.9.

You should instead migrate to use License approval policies and the new method of license scanning prior to GitLab 16.1.

License scanning no longer uses License-Scanning.gitlab-ci.yml, so you’ll want to remove and any customizations to the license_scanning job. The new method to enable and use License scanning can be found here: License scanning of CycloneDX files | GitLab

Topic		Replies	Views
Licence check for maven project DevSecOps ci	0	866	May 6, 2021
Dependency scanning in the free tier DevSecOps pipelines , license	3	3381	February 9, 2022
Empty list generated from License Compliance Java/Gradle scanning DevSecOps	0	633	July 10, 2020
Seeing Approval requirements for both License-Check and License Security Policy in some pipelines DevSecOps license	0	322	September 13, 2023
WARNING: gl-container-scanning-report.json: no matching files GitLab CI/CD	0	959	May 16, 2023

ERROR license_scanning

Related topics