Problem to solve
I’m currently trying out the built-in dependency scanner from gitlab with a python repo.
Unfortunately, the sbom file is not generated, which is a pity, because I would like to see the results in the Vulnerability report.
The pipeline output looks like:
(I did a cat of the created json file, because I wanted to see if something is inside, however I cropped it from the output here, because it’s quite long)
The funny thing is, that the gl-dependency-scanning-report.json file is properly generated, however the Vulnerability report needs the sbom file.
Steps to reproduce
I run the pipeline on the master branch and with the config below I never got the sbom file generated.
Configuration
My .gitlab-ci.yml looks like:
stages:
- test
sast:
stage: test
variables:
SECURE_LOG_LEVEL: debug
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/Container-Scanning.gitlab-ci.yml
gemnasium-python-dependency_scanning:
image: registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2-python-3.9
before_script:
- apt-get -qqy update && apt-get install -qqy libpq-dev python3-dev build-essential
postgresql-server-dev-all python3-psycopg2
- pip3 install psycopg2
after_script:
- cat gl-dependency-scanning-report.json
- pwd
- find -type f -name *.cdx.json
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
Versions
- Self-managed
- GitLab[dot]com SaaS
- Self-hosted Runners
Versions
- GitLab: GitLab Enterprise Edition 17.5.0-pre 146866ac936
- GitLab Runner, if self-hosted (Web
/admin/runnersor CLIgitlab-runner --version):
Did anyone come across that issue before? Or does anyone have any ideas? Are there any requirements the python project has to fulfill?
