SAST for golang doesn't resolve dependencies correctly
We added SAST to our project using
include:
- template: SAST.gitlab-ci.yml
In the GitLab-Runner logs we can see the following error message
Running with gitlab-runner 11.7.0 (8bb608ff)
on gitlab-ci-groupalarm-com M2ngRWrg
Using Docker executor with image docker:stable ...
Starting service docker:stable-dind ...
Pulling docker image docker:stable-dind ...
Using docker image sha256:12adad4e12e25288e665131d5235d98a8edf2a39d26679dabbe2728442729e26 for docker:stable-dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:805bea199b249bfed61cdcd7cdbfe240ee998d51f59bbf365674a15b619f5a86 for docker:stable ...
Running on runner-M2ngRWrg-project-1-concurrent-0 via gitlab-ci-groupalarm-com...
Fetching changes...
HEAD is now at ca4b952c try to fix manually
From https://gitlab2.mycompany.io/mycompany.com/mycompany.com
ca4b952c..845ae733 add-sast -> origin/add-sast
Auto packing the repository in background for optimum performance.
See "git help gc" for manual housekeeping.
Checking out 845ae733 as add-sast...
Skipping Git submodules setup
$ export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
$ if ! docker info &>/dev/null; then # collapsed multi-line command
$ function propagate_env_vars() { # collapsed multi-line command
$ docker run \ # collapsed multi-line command
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/sast:11-11-stable' locally
11-11-stable: Pulling from gitlab-org/security-products/sast
f9e13c93af52: Pulling fs layer
f9e13c93af52: Verifying Checksum
f9e13c93af52: Download complete
f9e13c93af52: Pull complete
Digest: sha256:9d50c62159598b191f970b92d5d35e3e037c258f41ea6780a4d8014d70cd19f9
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/sast:11-11-stable
2019/06/22 10:43:44 Copy project directory to containers
2019/06/22 10:43:44 [bandit] Detect project using plugin
2019/06/22 10:43:44 [bandit] Project not compatible
2019/06/22 10:43:44 [brakeman] Detect project using plugin
2019/06/22 10:43:44 [brakeman] Project not compatible
2019/06/22 10:43:44 [gosec] Detect project using plugin
2019/06/22 10:43:44 [gosec] Project is compatible
2019/06/22 10:43:44 [gosec] Starting analyzer...
2: Pulling from gitlab-org/security-products/analyzers/gosec
4fe2ade4980c: Pulling fs layer
2e793f0ebe8a: Pulling fs layer
77995fba1918: Pulling fs layer
37a0800ca4c6: Pulling fs layer
387d73a1a3a0: Pulling fs layer
2ddfff49a459: Pulling fs layer
e9282348564a: Pulling fs layer
4c4de8e283ae: Pulling fs layer
c4c63fb4ac2b: Pulling fs layer
387d73a1a3a0: Waiting
2ddfff49a459: Waiting
e9282348564a: Waiting
4c4de8e283ae: Waiting
37a0800ca4c6: Waiting
77995fba1918: Verifying Checksum
77995fba1918: Download complete
4fe2ade4980c: Download complete
2e793f0ebe8a: Verifying Checksum
2e793f0ebe8a: Download complete
4fe2ade4980c: Pull complete
2e793f0ebe8a: Pull complete
77995fba1918: Pull complete
387d73a1a3a0: Verifying Checksum
387d73a1a3a0: Download complete
e9282348564a: Verifying Checksum
e9282348564a: Download complete
4c4de8e283ae: Verifying Checksum
4c4de8e283ae: Download complete
2ddfff49a459: Verifying Checksum
2ddfff49a459: Download complete
c4c63fb4ac2b: Verifying Checksum
c4c63fb4ac2b: Download complete
37a0800ca4c6: Verifying Checksum
37a0800ca4c6: Download complete
37a0800ca4c6: Pull complete
387d73a1a3a0: Pull complete
2ddfff49a459: Pull complete
e9282348564a: Pull complete
4c4de8e283ae: Pull complete
c4c63fb4ac2b: Pull complete
Digest: sha256:3e53025404e9a6c05b05dc3738c8ec24634a5078515f492eede8b2ec10ffca98
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2
Found project in /tmp/app/go/admin
package mycompany.com/go/admin/api/handler: unrecognized import path "mycompany.com/go/admin/api/handler" (parse https://mycompany.com/go/admin/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/admin/api/metrics: unrecognized import path "mycompany.com/go/admin/api/metrics" (parse https://mycompany.com/go/admin/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/admin/api/services: unrecognized import path "mycompany.com/go/admin/api/services" (parse https://mycompany.com/go/admin/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/common: unrecognized import path "mycompany.com/go/common" (parse https://mycompany.com/go/common?go-get=1: no go-import meta tags ())
package mycompany.com/go/rbac/client: unrecognized import path "mycompany.com/go/rbac/client" (parse https://mycompany.com/go/rbac/client?go-get=1: no go-import meta tags ())
package mycompany.com/go/replication: unrecognized import path "mycompany.com/go/replication" (parse https://mycompany.com/go/replication?go-get=1: no go-import meta tags ())
package mycompany.com/go/alarming/api/handler: unrecognized import path "mycompany.com/go/alarming/api/handler" (parse https://mycompany.com/go/alarming/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/alarming/api/metrics: unrecognized import path "mycompany.com/go/alarming/api/metrics" (parse https://mycompany.com/go/alarming/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/alarming/api/services: unrecognized import path "mycompany.com/go/alarming/api/services" (parse https://mycompany.com/go/alarming/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/handler: unrecognized import path "mycompany.com/go/els-cobra/api/handler" (parse https://mycompany.com/go/els-cobra/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/instruction/api/services: unrecognized import path "mycompany.com/go/instruction/api/services" (parse https://mycompany.com/go/instruction/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/organization/api/services: unrecognized import path "mycompany.com/go/organization/api/services" (parse https://mycompany.com/go/organization/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/rbac/api/services: unrecognized import path "mycompany.com/go/rbac/api/services" (parse https://mycompany.com/go/rbac/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/shop/api/services: unrecognized import path "mycompany.com/go/shop/api/services" (parse https://mycompany.com/go/shop/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/shop/client: unrecognized import path "mycompany.com/go/shop/client" (parse https://mycompany.com/go/shop/client?go-get=1: no go-import meta tags ())
package mycompany.com/go/audit/api/services: unrecognized import path "mycompany.com/go/audit/api/services" (parse https://mycompany.com/go/audit/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/app/api/handler: unrecognized import path "mycompany.com/go/app/api/handler" (parse https://mycompany.com/go/app/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/app/api/metrics: unrecognized import path "mycompany.com/go/app/api/metrics" (parse https://mycompany.com/go/app/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/app/api/services: unrecognized import path "mycompany.com/go/app/api/services" (parse https://mycompany.com/go/app/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/messaging/api/services: unrecognized import path "mycompany.com/go/messaging/api/services" (parse https://mycompany.com/go/messaging/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/user/client: unrecognized import path "mycompany.com/go/user/client" (parse https://mycompany.com/go/user/client?go-get=1: no go-import meta tags ())
package mycompany.com/go/appointment/api/handler: unrecognized import path "mycompany.com/go/appointment/api/handler" (parse https://mycompany.com/go/appointment/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/appointment/api/metrics: unrecognized import path "mycompany.com/go/appointment/api/metrics" (parse https://mycompany.com/go/appointment/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/appointment/api/services: unrecognized import path "mycompany.com/go/appointment/api/services" (parse https://mycompany.com/go/appointment/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/email/mail: unrecognized import path "mycompany.com/go/email/mail" (parse https://mycompany.com/go/email/mail?go-get=1: no go-import meta tags ())
package mycompany.com/go/audit/api/handler: unrecognized import path "mycompany.com/go/audit/api/handler" (parse https://mycompany.com/go/audit/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/audit/api/metrics: unrecognized import path "mycompany.com/go/audit/api/metrics" (parse https://mycompany.com/go/audit/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/billing/api/controller: unrecognized import path "mycompany.com/go/billing/api/controller" (parse https://mycompany.com/go/billing/api/controller?go-get=1: no go-import meta tags ())
package mycompany.com/go/billing/api/metrics: unrecognized import path "mycompany.com/go/billing/api/metrics" (parse https://mycompany.com/go/billing/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/billing/api/services: unrecognized import path "mycompany.com/go/billing/api/services" (parse https://mycompany.com/go/billing/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/user/api/services: unrecognized import path "mycompany.com/go/user/api/services" (parse https://mycompany.com/go/user/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/call/api/handler: unrecognized import path "mycompany.com/go/call/api/handler" (parse https://mycompany.com/go/call/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/call/api/metrics: unrecognized import path "mycompany.com/go/call/api/metrics" (parse https://mycompany.com/go/call/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/call/api/services: unrecognized import path "mycompany.com/go/call/api/services" (parse https://mycompany.com/go/call/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/metrics: unrecognized import path "mycompany.com/go/els-cobra/api/metrics" (parse https://mycompany.com/go/els-cobra/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/services: unrecognized import path "mycompany.com/go/els-cobra/api/services" (parse https://mycompany.com/go/els-cobra/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/cobra/wdx: unrecognized import path "mycompany.com/go/els-cobra/api/cobra/wdx" (parse https://mycompany.com/go/els-cobra/api/cobra/wdx?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/cobra/grpc/location: unrecognized import path "mycompany.com/go/els-cobra/api/cobra/grpc/location" (parse https://mycompany.com/go/els-cobra/api/cobra/grpc/location?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/cobra/geo: unrecognized import path "mycompany.com/go/els-cobra/api/cobra/geo" (parse https://mycompany.com/go/els-cobra/api/cobra/geo?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/cobra/operation: unrecognized import path "mycompany.com/go/els-cobra/api/cobra/operation" (parse https://mycompany.com/go/els-cobra/api/cobra/operation?go-get=1: no go-import meta tags ())
package mycompany.com/go/els-cobra/api/cobra/login: unrecognized import path "mycompany.com/go/els-cobra/api/cobra/login" (parse https://mycompany.com/go/els-cobra/api/cobra/login?go-get=1: no go-import meta tags ())
package mycompany.com/go/email/api/handler: unrecognized import path "mycompany.com/go/email/api/handler" (parse https://mycompany.com/go/email/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/email/api/metrics: unrecognized import path "mycompany.com/go/email/api/metrics" (parse https://mycompany.com/go/email/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/email/api/services: unrecognized import path "mycompany.com/go/email/api/services" (parse https://mycompany.com/go/email/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/feedback/api/handler: unrecognized import path "mycompany.com/go/feedback/api/handler" (parse https://mycompany.com/go/feedback/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/feedback/api/metrics: unrecognized import path "mycompany.com/go/feedback/api/metrics" (parse https://mycompany.com/go/feedback/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/feedback/api/services: unrecognized import path "mycompany.com/go/feedback/api/services" (parse https://mycompany.com/go/feedback/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/grpc/api/handler: unrecognized import path "mycompany.com/go/grpc/api/handler" (parse https://mycompany.com/go/grpc/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/grpc/api/metrics: unrecognized import path "mycompany.com/go/grpc/api/metrics" (parse https://mycompany.com/go/grpc/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/grpc/api/groupalarm: unrecognized import path "mycompany.com/go/grpc/api/groupalarm" (parse https://mycompany.com/go/grpc/api/groupalarm?go-get=1: no go-import meta tags ())
package mycompany.com/go/instruction/api/handler: unrecognized import path "mycompany.com/go/instruction/api/handler" (parse https://mycompany.com/go/instruction/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/instruction/api/metrics: unrecognized import path "mycompany.com/go/instruction/api/metrics" (parse https://mycompany.com/go/instruction/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/journal/api/handler: unrecognized import path "mycompany.com/go/journal/api/handler" (parse https://mycompany.com/go/journal/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/journal/api/metrics: unrecognized import path "mycompany.com/go/journal/api/metrics" (parse https://mycompany.com/go/journal/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/journal/api/services: unrecognized import path "mycompany.com/go/journal/api/services" (parse https://mycompany.com/go/journal/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/messaging/api/handler: unrecognized import path "mycompany.com/go/messaging/api/handler" (parse https://mycompany.com/go/messaging/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/messaging/api/metrics: unrecognized import path "mycompany.com/go/messaging/api/metrics" (parse https://mycompany.com/go/messaging/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/monitor/api/controller: unrecognized import path "mycompany.com/go/monitor/api/controller" (parse https://mycompany.com/go/monitor/api/controller?go-get=1: no go-import meta tags ())
package mycompany.com/go/monitor/api/metrics: unrecognized import path "mycompany.com/go/monitor/api/metrics" (parse https://mycompany.com/go/monitor/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/monitor/api/services: unrecognized import path "mycompany.com/go/monitor/api/services" (parse https://mycompany.com/go/monitor/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/newshub/api/handler: unrecognized import path "mycompany.com/go/newshub/api/handler" (parse https://mycompany.com/go/newshub/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/newshub/api/metrics: unrecognized import path "mycompany.com/go/newshub/api/metrics" (parse https://mycompany.com/go/newshub/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/newshub/api/services: unrecognized import path "mycompany.com/go/newshub/api/services" (parse https://mycompany.com/go/newshub/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/organization/api/handler: unrecognized import path "mycompany.com/go/organization/api/handler" (parse https://mycompany.com/go/organization/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/organization/api/metrics: unrecognized import path "mycompany.com/go/organization/api/metrics" (parse https://mycompany.com/go/organization/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/pager/api/handler: unrecognized import path "mycompany.com/go/pager/api/handler" (parse https://mycompany.com/go/pager/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/pager/api/metrics: unrecognized import path "mycompany.com/go/pager/api/metrics" (parse https://mycompany.com/go/pager/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/pager/api/services: unrecognized import path "mycompany.com/go/pager/api/services" (parse https://mycompany.com/go/pager/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/pager/hmsgr: unrecognized import path "mycompany.com/go/pager/hmsgr" (parse https://mycompany.com/go/pager/hmsgr?go-get=1: no go-import meta tags ())
package mycompany.com/go/pager/client: unrecognized import path "mycompany.com/go/pager/client" (parse https://mycompany.com/go/pager/client?go-get=1: no go-import meta tags ())
package mycompany.com/go/pager/common: unrecognized import path "mycompany.com/go/pager/common" (parse https://mycompany.com/go/pager/common?go-get=1: no go-import meta tags ())
package mycompany.com/go/rbac/api/handler: unrecognized import path "mycompany.com/go/rbac/api/handler" (parse https://mycompany.com/go/rbac/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/rbac/api/metrics: unrecognized import path "mycompany.com/go/rbac/api/metrics" (parse https://mycompany.com/go/rbac/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/support/api/services: unrecognized import path "mycompany.com/go/support/api/services" (parse https://mycompany.com/go/support/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/shop/api/handler: unrecognized import path "mycompany.com/go/shop/api/handler" (parse https://mycompany.com/go/shop/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/shop/api/metrics: unrecognized import path "mycompany.com/go/shop/api/metrics" (parse https://mycompany.com/go/shop/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/sms/api/handler: unrecognized import path "mycompany.com/go/sms/api/handler" (parse https://mycompany.com/go/sms/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/sms/api/metrics: unrecognized import path "mycompany.com/go/sms/api/metrics" (parse https://mycompany.com/go/sms/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/sms/api/services: unrecognized import path "mycompany.com/go/sms/api/services" (parse https://mycompany.com/go/sms/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/support/api/handler: unrecognized import path "mycompany.com/go/support/api/handler" (parse https://mycompany.com/go/support/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/support/api/metrics: unrecognized import path "mycompany.com/go/support/api/metrics" (parse https://mycompany.com/go/support/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/systemhook/api/handler: unrecognized import path "mycompany.com/go/systemhook/api/handler" (parse https://mycompany.com/go/systemhook/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/systemhook/api/metrics: unrecognized import path "mycompany.com/go/systemhook/api/metrics" (parse https://mycompany.com/go/systemhook/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/systemhook/api/services: unrecognized import path "mycompany.com/go/systemhook/api/services" (parse https://mycompany.com/go/systemhook/api/services?go-get=1: no go-import meta tags ())
package mycompany.com/go/user/api/handler: unrecognized import path "mycompany.com/go/user/api/handler" (parse https://mycompany.com/go/user/api/handler?go-get=1: no go-import meta tags ())
package mycompany.com/go/user/api/metrics: unrecognized import path "mycompany.com/go/user/api/metrics" (parse https://mycompany.com/go/user/api/metrics?go-get=1: no go-import meta tags ())
package mycompany.com/go/webin-proxy/api/metrics: unrecognized import path "mycompany.com/go/webin-proxy/api/metrics" (parse https://mycompany.com/go/webin-proxy/api/metrics?go-get=1: no go-import meta tags ())
package github.com/coreos/prometheus-operator/pkg/client/monitoring/v1: cannot find package "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1" in any of:
/usr/local/go/src/github.com/coreos/prometheus-operator/pkg/client/monitoring/v1 (from $GOROOT)
/go/src/github.com/coreos/prometheus-operator/pkg/client/monitoring/v1 (from $GOPATH)
package github.com/coreos/prometheus-operator/pkg/client/monitoring: cannot find package "github.com/coreos/prometheus-operator/pkg/client/monitoring" in any of:
/usr/local/go/src/github.com/coreos/prometheus-operator/pkg/client/monitoring (from $GOROOT)
/go/src/github.com/coreos/prometheus-operator/pkg/client/monitoring (from $GOPATH)
package github.com/coreos/prometheus-operator/pkg/client/monitoring/v1alpha1: cannot find package "github.com/coreos/prometheus-operator/pkg/client/monitoring/v1alpha1" in any of:
/usr/local/go/src/github.com/coreos/prometheus-operator/pkg/client/monitoring/v1alpha1 (from $GOROOT)
/go/src/github.com/coreos/prometheus-operator/pkg/client/monitoring/v1alpha1 (from $GOPATH)
2019/06/22 10:44:32 exit status 1
2019/06/22 10:44:34 Container exited with non zero status code
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
ERROR: Job failed: exit code 1
The project has the following structure
mycompany.com/
├── frontend/
│ ├── ...
│ └── ...
└── go/
├── go.sum
├── go.mod
├── vendor
| ├── github.com
| | ├── ...
| | └── ...
| └── ...
├── service_1
│ ├── main.go
│ └── ...
├── service_2
│ ├── main.go
│ └── ...
└── ...
Locally and in the normal CI-Job the binaries just build fine, it seems that in the SAST CI-Job is some problem regarding the local path and detecting the vendor directory.
Edited by Jean-Philippe Quéméner