SAST `gosec` analyzer failing
Summary
The SAST gosec analyzer fails with exit status 2 using default ADO configuration on a fresh golang project.
Steps to reproduce
docker run \
--interactive --tty --rm \
--volume "$PWD":/tmp/app \
--env CI_PROJECT_DIR=/tmp/app \
registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2 /analyzer runExample Project
I can attempt to create an example repo if necessary, but the project we're testing against is a fairly standard Go project hosting a gRPC server and grpc-gateway in the same process.
What is the current bug behavior?
SAST job fails with:
Found project in /tmp/app/cmd/proxy
go: finding ...
go: downloading ...
go: extracting ...
# example.gitlab.com/example/example/cmd/proxy
cmd/proxy/proxy.go:8:3: imported and not used: "fmt"
cmd/proxy/proxy.go:16:3: imported and not used: "github.com/go-chi/chi"
exit status 2
2019/09/06 14:51:39 Container exited with non zero status code
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
ERROR: Job failed: command terminated with exit code 1What is the expected correct behavior?
Manually executing the equivalent gosec -fmt=json -out=results.json ./... command locally works just fine.
[gosec] 2019/09/06 10:15:51 Including rules: default
[gosec] 2019/09/06 10:15:51 Excluding rules: default
[gosec] 2019/09/06 10:15:51 Import directory: /example/cmd/server/third_party/data/swagger
[gosec] 2019/09/06 10:15:52 Checking package: swagger
[gosec] 2019/09/06 10:15:52 Checking file: /example/cmd/server/third_party/data/swagger/datafile.go
[gosec] 2019/09/06 10:15:52 Import directory: /example/test
[gosec] 2019/09/06 10:15:53 Checking package: main
[gosec] 2019/09/06 10:15:53 Checking file: /example/test/client.go
[gosec] 2019/09/06 10:15:53 Import directory: /example/app/domain/model
[gosec] 2019/09/06 10:15:54 Checking package: model
[gosec] 2019/09/06 10:15:54 Checking file: /example/app/domain/model/author.go
[gosec] 2019/09/06 10:15:54 Checking file: /example/app/domain/model/base.go
[gosec] 2019/09/06 10:15:54 Checking file: /example/app/domain/model/db.go
[gosec] 2019/09/06 10:15:54 Checking file: /example/app/domain/model/organization.go
[gosec] 2019/09/06 10:15:54 Checking file: /example/app/domain/model/organizationSubUnit.go
[gosec] 2019/09/06 10:15:54 Import directory: /example/app/grpc/implementation
[gosec] 2019/09/06 10:15:56 Checking package: implementation
[gosec] 2019/09/06 10:15:56 Checking file: /example/app/grpc/implementation/author.go
[gosec] 2019/09/06 10:15:56 Checking file: /example/app/grpc/implementation/service.go
[gosec] 2019/09/06 10:15:56 Checking file: /example/app/grpc/implementation/submission.go
[gosec] 2019/09/06 10:15:56 Import directory: /example/app/grpc/strive
[gosec] 2019/09/06 10:15:57 Checking package: strive
[gosec] 2019/09/06 10:15:57 Checking file: /example/app/grpc/strive/swagger-export.go
[gosec] 2019/09/06 10:15:57 Checking file: /example/app/grpc/strive/swagger.pb.go
[gosec] 2019/09/06 10:15:57 Checking file: /example/app/grpc/strive/v1.pb.go
[gosec] 2019/09/06 10:15:57 Checking file: /example/app/grpc/strive/v1.pb.gw.go
[gosec] 2019/09/06 10:15:57 Import directory: /example/app/grpc/strive/util
[gosec] 2019/09/06 10:15:58 Checking package: main
[gosec] 2019/09/06 10:15:58 Checking file: /example/app/grpc/strive/util/swaggerconst.go
[gosec] 2019/09/06 10:15:58 Import directory: /example/cmd/proxy
[gosec] 2019/09/06 10:16:00 Checking package: main
[gosec] 2019/09/06 10:16:00 Checking file: /example/cmd/proxy/proxy.go
[gosec] 2019/09/06 10:16:00 Import directory: /example/cmd/server
[gosec] 2019/09/06 10:16:01 Checking package: main
[gosec] 2019/09/06 10:16:01 Checking file: /example/cmd/server/server.goOutput of checks
Not tested on GitLab.com, instructions unclear on how to obtain requested GL environment info from Kubernetes based installations (please advise if necessary). GL version is 12.1.3-ee (a05c811e).
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)