Gitlab format report has invalid syntax for dependencies

[david-eyeee]

Describe the bug
Under certain circumstances, the dependency-check-gitlab.json file has invalid syntax. Specifically, there is a trailing comma after the last package entry in the dependencies section of dependency_files. The dependency-check.json file does not have this issue. This is the section with the trailing comma:

{
"dependencies": [
{"package": {"name": "ComponentSpace.SAML2"},"version": "2.6.0.17"},
{"package": {"name": "select2"},"version": "3.4.3"},
{"package": {"name": "select2"},"version": "3.4.0"},
]
}

Version of dependency-check used
The problem occurs using version 9.1.0 of the docker image - owasp/dependency-check:9.1.0

Log file

To Reproduce

Expected behavior
dependency-check-gitlab.json should have valid syntax.

Additional context
I realize this bug report is missing lots of detail. This is a work account so unfortunately I cannot provide log files or the contents of the project that produced this error. However, I may be able to answer specific questions if you choose to pursue this issue. Thanks.

[aikebah]

A quick look into the template makes me expect your 'specific circumstances' is having a dependency that didn't get its name property set (or got it set to a falsy value (in the evaluation of the templating engine))

[jeremylong]

We would also need more than just "It's broken - please fix". Do you have a project that can reproduce the issue?

[Rec0gnice]

I have encountered the problem as well with version 9.1.0 as described by @david-eyeee

The object dependency_files lists packages from the specific dependency files under the dependencies array.
E.g.:

{
   "dependency_files": [
      {
         "path": "pom.xml",
         "package_manager": "maven",
         "dependencies": [
            {
               "package": {
                  "name": "commons-collections:commons-collections"
               },
               "version": "3.2.2"
            },
         ]
      }
   ],
   "remediations": []
}

These packages are wrapped inside it's own object and listed under dependencies list key, which is then again wrapped again in an object which then appends the invalid comma afterwards.

The error is located on the last object inside of dependencies array where a trailing comma is appended after the last package, which is not valid with the JSON schema used.

[Rec0gnice]

When looking at the template file [1], I would assume that there is another entry in $dependencies but it has no name. Therefore a trailing comma is appended [2], but there won't be another package added when the name is not set [3].

[1] https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/templates/gitlabReport.vsl
[2] https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/templates/gitlabReport.vsl#L155
[3] https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/resources/templates/gitlabReport.vsl#L143

[david-eyeee]

attached is a sample project that contains the files that generate the error.
test-project.zip

This is the command we use to execute the check

/usr/share/dependency-check/bin/dependency-check.sh --project 'test-project' --out './dependency_check_output' --format ALL --scan . --nvdApiKey <REDACTED>

Thanks.