Dependencies API returns 500 if one of the reports is broken
Summary
The Dependencies API resource returns a 500
when a dependency scanning job is failing.
Steps to reproduce
- Create a pipeline with multiple dependency scanning jobs (report artifact of type `dependency_scanning)
- Make on the job to return an artifact that can not be parsed.
- Hit the Dependencies API for this project -> 500
Example Project
-
https://gitlab.com/gitlab-org/security-products/package-hunter-cli/ (broken jobs are
package_hunter-yarn
andpackage_hunter-yarn
-
https://gitlab.com/gitlab-org/security-products/package-hunter-cli/-/dependencies has a flash message:
The dependency_scanning job has failed and cannot generate the list. Please ensure the job is running properly and run the pipeline again.
(Job link) -
https://gitlab.com/api/v4/projects/gitlab-org%2fsecurity-products%2fpackage-hunter-cli/dependencies returns
{"message":"500 Internal Server Error"}
What is the current bug behavior?
API returns a 500
response
What is the expected correct behavior?
API returns a 200
with partial results (dependencies from the successful jobs)
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Note: this issue is partially fixed by !76597 (merged). We need also to add a fix to not process artifacts from failed builds:
- change this line to skip failed builds.
- update tests
Edited by Tetiana Chupryna