Document how to configure credentials for fetching custom artifacts from private Maven repository
We need to document under https://docs.gitlab.com/ee/user/application_security/sast/#configuration how to configure the job to fetch Maven dependencies from a private maven repo that requires authentication.
According to https://gitlab.com/gitlab-org/gitlab-ee/issues/6711#note_156367270, you need to set MAVEN_CLI_OPTS
as a secret variable with a value of:
-Drepository.password=verysecret -Drepository.user=myuser
issue
I'm trying to run Sast as part of my automated Gitlab build pipeline. The project is a Java project that is using Maven for dependency management. Our Maven project is configured to fetch Maven dependencies from our private Artifactory instance that requires authentication.
Snippet from Maven pom.xml:
<repositories>
<repository>
<id>artifactory</id>
<name>Private Repository</name>
<url>${repository.url}</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
Snippet from gitlab-ci.yml
sast:
image: docker:latest
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:dind
script:
- export SAST_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--env SAST_DISABLE_REMOTE_CHECKS="${SAST_DISABLE_REMOTE_CHECKS:-false}"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
artifacts:
paths: [gl-sast-report.json]
Since our Artifactory instance that hosts the Maven dependencies requires a username and password to fetch the dependency information during the security scan our sast job fails with error.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.203 s
[INFO] Finished at: 2018-03-09T20:54:50Z
[INFO] Final Memory: 19M/295M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project contract-java: Could not resolve dependencies for project nl.project:contract-java:jar:0.0.1-SNAPSHOT: Failed to collect dependencies at nl.project:contract:jar:0.0.1-SNAPSHOT: Failed to read artifact descriptor for nl.project:contract:jar:0.0.1-SNAPSHOT: Could not transfer artifact nl.project:contract:pom:0.0.1-SNAPSHOT from/to artifactory (https://my.private.maven.repository.com/artifactory/repo/): Not authorized , ReasonPhrase:Unauthorized. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
Could not list maven dependencies for the repository at contract-java
time="2018-03-09T20:54:51Z" level=fatal msg="Container exited with non zero exit code: 1"
/usr/local/lib/ruby/2.3.0/json/common.rb:156:in `initialize': A JSON text must at least contain two octets! (JSON::ParserError)
from /usr/local/lib/ruby/2.3.0/json/common.rb:156:in `new'
from /usr/local/lib/ruby/2.3.0/json/common.rb:156:in `parse'
from /app/lib/analyzers/gemnasium.rb:58:in `block in analyze'
from /app/lib/analyzers/gemnasium.rb:53:in `chdir'
from /app/lib/analyzers/gemnasium.rb:53:in `analyze'
from /app/lib/analyzers/gemnasium.rb:37:in `execute'
from /app/lib/analyze.rb:25:in `issues'
from /app/lib/run.rb:10:in `initialize'
from /app/bin/run:7:in `new'
from /app/bin/run:7:in `<main>'
ERROR: Job failed: exit code 1
Can you document how configure the Sast job to "inject" the Maven credentials of our private repository to be able to perform the security scan?