Multiple Maven Dependency Scanning Jobs Running (-2, -3) in GitLab Pipeline

andjoe · February 19, 2025, 4:28pm

Problem to solve

I am experiencing an issue where GitLab is running multiple jobs for Maven dependency scanning (gemnasium-maven-dependency_scanning, gemnasium-maven-dependency-scanning-2, and gemnasium-maven-dependency-scanning-3).

Expected Behavior:

The dependency scanning jobs should run once per pipeline execution as defined in .gitlab-ci.yml.
The script mvn-create-settings.bash should execute before the analyzer run without issues.

Actual Behavior:

Multiple instances of the Maven dependency scanning job (-2, -3, etc.) appear unexpectedly.
The gemnasium-maven-dependency-scanning-2 job fails, while gemnasium-maven-dependency_scanning executes successfully.
The error log is attached in the file gemnasium-maven-dependency-scanning-2.

Additional Context:

The script mvn-create-settings.bash is used to generate an settings.xml file with secrets from GitLab variables for accessing the local Artifactory.
Scanning policies are enabled for all branches, triggering scans:
- On every merge request
- On merge to main
- On a scheduled Sunday scan

Question:

Why are multiple jobs being created (-2, -3, etc.)?
How can I ensure only one job executes?
What is the best practice for providing custom setups for handling policy-based security scanning tools?

Steps to reproduce

Enable dependency scanning policies on all branches.

Add the following .gitlab-ci.yml configuration or one that creates local settings dependent to run the job:

gemnasium-dependency_scanning:
  before_script:
    - source <(curl -s https://gitlab-script.utv.atlas.vegvesen.no/download/mvn-create-settings.bash)

gemnasium-maven-dependency-scanning-2:
  before_script:
    - source <(curl -s https://gitlab-script.utv.atlas.vegvesen.no/download/mvn-create-settings.bash)

gemnasium-maven-dependency_scanning:
  before_script:
    - source <(curl -s https://gitlab-script.utv.atlas.vegvesen.no/download/mvn-create-settings.bash)

Run a pipeline and observe multiple executions of the Maven dependency scanning job.
Check the screensjot for failures in

Screenshot 2025-02-19 at 17.31.361920×1181 227 KB

Screenshot 2025-02-19 at 17.31.433332×1072 447 KB

Configuration

GitLab security feature: Dependency Scanning
Custom Script Usage: mvn-create-settings.bash
Artifacts Repository: Internal Artifactory for Maven dependencies

Versions

Self-managed
GitLab.com SaaS
Dedicated
Self-hosted Runners

GitLab Version: 17.5.4-ee
GitLab Runner Version: 17.5.4

Helpful resources

Check the FAQ for helpful documentation, issues/bugs/feature proposals, and troubleshooting tips.
Before opening a new topic, make sure to search for keywords in the forum search
Check the GitLab and GitLab Runner projects for existing issues. If you encounter a bug, please create a bug report issue.
Review existing troubleshooting docs.

Thanks for taking the time to be thorough in your request, it really helps!

Topic		Replies	Views
DependencyScanning - Maven + GitLab Package Repository DevSecOps maven	11	2375	November 3, 2023
Cannot Run Before Script on Dependency Scanning DevSecOps maven , security	1	165	November 15, 2024
Dependency scanning does not run in automated merge request DevSecOps	0	1444	August 2, 2021
Licence check for maven project DevSecOps ci	0	900	May 6, 2021
Gemnasium-maven-dependency_scanning DevSecOps	1	2159	January 6, 2023