Merge branch '338252-add-gradle-pipenv-setuptools-to-DS-pkgrs' into 'master'

Fix packager reported by Gemnasium for Gradle and Pipenv projects See merge request gitlab-org/gitlab!74057

Merge branch '338252-add-gradle-pipenv-setuptools-to-DS-pkgrs' into 'master'
Fix packager reported by Gemnasium for Gradle and Pipenv projects See merge request gitlab-org/gitlab!74057
b9e1303d · Tetiana Chupryna · de72e92e · ce01c085 · b9e1303d · b9e1303d
Commit b9e1303d authored Nov 11, 2021 by Tetiana Chupryna
6 changed files
--- a/doc/api/dependencies.md
+++ b/doc/api/dependencies.md
@@ -34,7 +34,7 @@ GET /projects/:id/dependencies?package_manager=yarn,bundler
 | Attribute     | Type           | Required | Description                                                                                                                                                                 |
 | ------------- | -------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `id`          | integer/string | yes      | The ID or [URL-encoded path of the project](index.md#namespaced-path-encoding).                                                            |
-| `package_manager` | string array   | no       | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `maven`, `npm`, `nuget`, `pip`, `yarn`, or `sbt`.                                   |
+| `package_manager` | string array   | no       | Returns dependencies belonging to specified package manager. Valid values: `bundler`, `composer`, `conan`, `go`, `gradle`, `maven`, `npm`, `nuget`, `pip`, `pipenv`, `yarn`, `sbt`, or `setuptools`. |

 ```shell
 curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/dependencies"

--- a/ee/app/services/security/dependency_list_service.rb
+++ b/ee/app/services/security/dependency_list_service.rb
@@ -4,14 +4,14 @@ module Security
  class DependencyListService
    SORT_BY_VALUES = %w(name packager severity).freeze
    SORT_VALUES = %w(asc desc).freeze
-    FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt).freeze
+    FILTER_PACKAGE_MANAGERS_VALUES = %w(bundler yarn npm maven composer pip conan go nuget sbt gradle pipenv setuptools).freeze
    FILTER_VALUES = %w(all vulnerable).freeze

    # @param pipeline [Ci::Pipeline]
    # @param [Hash] params to sort and filter dependencies
    # @option params ['asc', 'desc'] :sort ('asc') Order
    # @option params ['name', 'packager', 'severity'] :sort_by ('name') Field to sort
-    # @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip'] :package_manager ('bundler') Field to filter
+    # @option params ['bundler', 'yarn', 'npm', 'maven', 'composer', 'pip', 'conan', 'go', 'nuget', 'sbt', 'gradle', 'pipenv', 'setuptools'] :package_manager ('bundler') Field to filter
    # @option params ['all', 'vulnerable'] :filter ('all') Field to filter
    def initialize(pipeline:, params: {})
      @pipeline = pipeline
@@ -37,8 +37,15 @@ module Security
    def filter_by_package_manager(collection)
      return collection unless params[:package_manager]

+      # ensure that package_manager is an Array
+      # otherwise #include? is true when dependency[:package_manager]
+      # begins with params[:package_manager] (String),
+      # even if the requested package manager isn't a match
+      package_managers = params[:package_manager]
+      package_managers = [package_managers] unless params[:package_manager].is_a?(Array)
+
      collection.select do |dependency|
-        params[:package_manager].include?(dependency[:package_manager])
+        package_managers.include?(dependency[:package_manager])
      end
    end


--- a/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
@@ -54,6 +54,12 @@ module Gitlab
                'C# (Nuget)'
              when 'go'
                'Go (Go modules)'
+              when 'gradle'
+                'Java (Gradle)'
+              when 'pipenv'
+                'Python (Pipenv)'
+              when 'setuptools'
+                'Python (Setuptools)'
              else
                package_manager
              end

--- a/ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
@@ -92,17 +92,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
    using RSpec::Parameterized::TableSyntax

    where(:packager, :expected) do
-      'bundler'  | 'Ruby (Bundler)'
-      'yarn'     | 'JavaScript (Yarn)'
-      'npm'      | 'JavaScript (npm)'
-      'pip'      | 'Python (pip)'
-      'maven'    | 'Java (Maven)'
-      'composer' | 'PHP (Composer)'
-      'conan'    | 'C/C++ (Conan)'
-      'sbt'      | 'Scala (Sbt)'
-      'nuget'    | 'C# (Nuget)'
-      'go'       | 'Go (Go modules)'
-      ''         | ''
+      'bundler'    | 'Ruby (Bundler)'
+      'yarn'       | 'JavaScript (Yarn)'
+      'npm'        | 'JavaScript (npm)'
+      'pip'        | 'Python (pip)'
+      'maven'      | 'Java (Maven)'
+      'composer'   | 'PHP (Composer)'
+      'conan'      | 'C/C++ (Conan)'
+      'sbt'        | 'Scala (Sbt)'
+      'nuget'      | 'C# (Nuget)'
+      'go'         | 'Go (Go modules)'
+      'gradle'     | 'Java (Gradle)'
+      'pipenv'     | 'Python (Pipenv)'
+      'setuptools' | 'Python (Setuptools)'
+      ''           | ''
    end

    with_them do

--- a/ee/spec/services/security/dependency_list_service_spec.rb
+++ b/ee/spec/services/security/dependency_list_service_spec.rb
@@ -38,8 +38,6 @@ RSpec.describe Security::DependencyListService do

    context 'with params' do
      context 'filtered by package_managers' do
-        using RSpec::Parameterized::TableSyntax
-
        before do
          dependencies = described_class::FILTER_PACKAGE_MANAGERS_VALUES.map do |package_manager|
            build(:dependency, package_manager: package_manager)
@@ -61,6 +59,14 @@ RSpec.describe Security::DependencyListService do
          end
        end

+        context 'with all package managers' do
+          let(:params) { { package_manager: described_class::FILTER_PACKAGE_MANAGERS_VALUES } }
+
+          it 'returns all items' do
+            expect(subject.size).to eq(described_class::FILTER_PACKAGE_MANAGERS_VALUES.size)
+          end
+        end
+
        context 'with invalid package manager' do
          let(:params) { { package_manager: 'package_manager' } }


--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
@@ -74,6 +74,9 @@ gemnasium-maven-dependency_scanning:
    # override the analyzer image with a custom value. This may be subject to change or
    # breakage across GitLab releases.
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
+    # Stop reporting Gradle as "maven".
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
+    DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
@@ -97,6 +100,9 @@ gemnasium-python-dependency_scanning:
    # override the analyzer image with a custom value. This may be subject to change or
    # breakage across GitLab releases.
    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
+    # Stop reporting Pipenv and Setuptools as "pip".
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
+    DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never