Custom CA certificates do not work for analyzers using system commands to pull dependencies
Summary
Some Category:SAST analyzers use system tools like git to pull dependencies. While we can now provide custom certificates to our analyzers, the change doesn't quite install the newly provided certificates onto the underlying system.
At this time we know the gosec
analyzer needs to be patched. Others are currently being investigated, including spotbugs
and security-code-scan
Steps to reproduce
A project which provides a proxy server using a self-signed certificate has been created. Steps for its use are in its README.
Example Project
(If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report)
(If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version)
What is the current bug behavior?
A project using dependencies hosted on a system with self-signed certificates won't be scanned by SAST.
What is the expected correct behavior?
When provided a certificate to use when pulling dependencies, SAST will correctly do so.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)