Gemnasium-python-dependency_scanning generates no cyclonedx files for Poetry project

I try to make gemnasium work with my Poetry project with a poetry.lock file and right now, I am getting the following warning in the logs:

Uploading artifacts...
WARNING: **/cyclonedx-*.json: no matching files. Ensure that the artifact path is relative to the working directory 
ERROR: No files to upload                          
Uploading artifacts...
gl-dependency-scanning-report.json: found 1 matching files and directories

As shown in the logs, gl-dependency-scanning-report.json is generated, and the contents look as expected to me.
Since support for poetry.lock has only been added recently, may this be some kind of bug?

@bettina.lanser, welcome to the forum!

Do you have a public project that you can link here? Or perhaps a minimal example to reproduce the issue?

I’ve asked some colleagues from the team that works on this feature, but I’m afraid they might not have much to go on here without more information about your configuration.

@bettina.lanser Hello and welcome!

Recently, gemnasium renamed the naming scheme of the produced CycloneDX artifacts which required the corresponding template artifact section to be updated. I was able to reproduce the issue by running a previous dependency scanning job on a poetry project. This may indicate that the previous jobs have cached the previous dependency scanning template that expected **/cyclonedx-*.json files.

Could you link the dependency scanning job? Additionally, could you confirm if the reproduction steps used are correct?

Hello @thiagocsf and @hacks4oats , thank you for looking into this!

Unfortunately, the project is not public, and something I did not consider before posting here (sorry for that) is that we are using a self-managed GitLab, so most probably this is some issue with our own setup.

From the way you could reproduce the problem @hacks4oats I assume that our GitLab instance is using some outdated version of the dependency scanning template, so I guess we can use that as a lead to solve the problem.

@bettina.lanser Thanks for the context! :slightly_smiling_face:

Since the latest template changes will not be released until the 22nd with the release of GitLab 15.2, there is currently a mismatch between the expected format by the analyzer and self-managed GitLab instances.

As a workaround, temporarily setting the DS_MAJOR_VERSION variable to 3.2.0 will utilize the analyzer that utilizes the previous naming scheme and should upload the cyclonedx artifacts. It’s highly recommended that this change be reverted once the 15.2 release is installed on the self-managed version so that the latest updates for the analyzer are used.

I will continue to investigate if there is a fix that we can implement to mitigate the issue on self-managed instances. Thank you again for reporting this!

2 Likes

@hacks4oats Thank you a lot, with this workaround everything works as expected.

1 Like