DAST scan fails because of a faulty argument

Summary

When running a DAST scan on my web project, the ./analyze command fails to execute, with the explanation given as such:

analyze.py: error: argument --auth-exclude-urls:  is not a valid URL

Steps to reproduce

1. Create a new DAST test in the On-demand Scans tab
2. Run it
3. Wait for it to error out

What is the current bug behavior?

The script outputs an error and I find that very impolite.

What is the expected correct behavior?

Well, it shouldn't stop its execution and continue to the scan.

Relevant logs and/or screenshots

Running with gitlab-runner 13.9.0-rc2 (69c049fd)
  on docker-auto-scale 72989761
  feature flags: FF_GITLAB_REGISTRY_HELPER_IMAGE:true
Resolving secrets 00:00
Preparing the "docker+machine" executor
Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 ...
Using docker image sha256:1b61c71227f1622c244051785d2d8b93b8f4a808d4dbbaac8e8fb65e4de37371 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/dast@sha256:98b65b69b4c882dba473ce460a9c20789e1a6aa193bbf119fbadb83ef6d26b49 ...
Preparing environment 00:03
Running on runner-72989761-project-15253493-concurrent-0 via runner-72989761-srm-1617529828-5447810d...
Getting source from Git repository 00:01
Skipping Git repository setup
Skipping Git checkout
Skipping Git submodules setup
Executing "step_script" stage of the job script 00:02
Using docker image sha256:1b61c71227f1622c244051785d2d8b93b8f4a808d4dbbaac8e8fb65e4de37371 for registry.gitlab.com/gitlab-org/security-products/analyzers/dast:1 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/dast@sha256:98b65b69b4c882dba473ce460a9c20789e1a6aa193bbf119fbadb83ef6d26b49 ...
$ /analyze
usage: analyze.py [-h] [-t DAST_WEBSITE]
                  [--spider-start-at-host DAST_SPIDER_START_AT_HOST]
                  [--paths-to-scan DAST_PATHS]
                  [--paths-to-scan-file DAST_PATHS_FILE]
                  [--api-specification DAST_API_SPECIFICATION]
                  [--auth-url DAST_AUTH_URL]
                  [--auth-verification-url DAST_AUTH_VERIFICATION_URL]
                  [--auth-username DAST_USERNAME]
                  [--auth-password DAST_PASSWORD]
                  [--auth-username-field DAST_USERNAME_FIELD]
                  [--auth-password-field DAST_PASSWORD_FIELD]
                  [--auth-submit-field DAST_SUBMIT_FIELD]
                  [--auth-first-submit-field DAST_FIRST_SUBMIT_FIELD]
                  [--auth-auto DAST_AUTH_AUTO]
                  [--auth-exclude-urls DAST_EXCLUDE_URLS]
                  [--request-headers DAST_REQUEST_HEADER]
                  [--mask-http-headers DAST_MASK_HTTP_HEADERS]
                  [--exclude-rules DAST_EXCLUDE_RULES]
                  [--full-scan DAST_FULL_SCAN_ENABLED]
                  [--auto-update-addons DAST_AUTO_UPDATE_ADDONS]
                  [--write-addons-to-update-file]
                  [--validate-domain DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED]
                  [--availability-timeout DAST_TARGET_AVAILABILITY_TIMEOUT]
                  [--skip-target-check DAST_SKIP_TARGET_CHECK]
                  [--script-dirs DAST_SCRIPT_DIRS]
                  [--zap-max-connection-attempts DAST_ZAP_MAX_CONNECTION_ATTEMPTS]
                  [--zap-connect-sleep-seconds DAST_ZAP_CONNECT_SLEEP_SECONDS]
                  [--passive-scan-max-wait-time DAST_PASSIVE_SCAN_MAX_WAIT_TIME]
                  [--aggregate-vulnerabilities] [--browserker-scan]
                  [--browserker-allowed-hosts [DAST_BROWSERKER_ALLOWED_HOSTS]]
                  [--browserker-excluded-hosts [DAST_BROWSERKER_EXCLUDED_HOSTS]]
                  [--browserker-ignored-hosts [DAST_BROWSERKER_IGNORED_HOSTS]]
                  [--browserker-excluded-elements [DAST_BROWSERKER_EXCLUDED_ELEMENTS]]
                  [--browserker-max-actions [DAST_BROWSERKER_MAX_ACTIONS]]
                  [--browserker-max-attack-failures [DAST_BROWSERKER_MAX_ATTACK_FAILURES]]
                  [--browserker-max-depth [DAST_BROWSERKER_MAX_DEPTH]]
                  [--browserker-number-of-browsers [DAST_BROWSERKER_NUMBER_OF_BROWSERS]]
                  [--browserker-cookies [DAST_BROWSERKER_COOKIES]]
                  [-O DAST_API_HOST_OVERRIDE] [-m DAST_SPIDER_MINS]
                  [-r DAST_HTML_REPORT] [-w DAST_MARKDOWN_REPORT]
                  [-x DAST_XML_REPORT] [-a] [-d] [-P ZAP_PORT] [-i] [-I] [-j]
                  [-l ZAP_MIN_LEVEL] [-z DAST_ZAP_CLI_OPTIONS]
                  [--zap-log-configuration DAST_ZAP_LOG_CONFIGURATION]
                  [-T ZAP_TIMEOUT] [-s] [-n ZAP_CONTEXT_FILE]
                  [-p ZAP_PROGRESS_FILE] [-D ZAP_DELAY_IN_SECONDS]
                  [--auth-display DAST_AUTH_DISPLAY]
analyze.py: error: argument --auth-exclude-urls:  is not a valid URL
Uploading artifacts for failed job 00:01
Uploading artifacts...
WARNING: gl-dast-report.json: no matching files    
ERROR: No files to upload                          
Cleaning up file based variables 00:00
ERROR: Job failed: exit code 1

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

Version: GitLab Next version 13.11.0-pre

Revision: a065e272, but tested up to d98f9034. This has been resolved since a6ae7344

Possible fixes

Define the URL in a valid format or don't check the validity when no URL is defined.