Add way for gemnasium to checkout gemnasium-db from repo with self signed certificate
Problem to solve
The gemnasium
analyzer needs to check out a version of gemnasium-db
to get advisories. Currently, in order to make this work in an environment where gemnasium-db
is on a host with a self-signed certificate we must pass GIT_SSL_NO_VERIFY: "true"
to the DS job.
We ought to give users the ability to pass their self-signed certificates via the ADDITIONAL_CA_CERT_BUNDLE
env variable and have gemnasium
use these without any further configuration.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
Allow the gemnasium
analyzer to pick up the ADDITIONAL_CA_CERT_BUNDLE
variable at scan time and add it to the analyzer's system certificate store.
Implementation plan
Please note that the above env var is already available to the analyzer through common
and so this issue should just be about testing that gemnasium
runs without GIT_SSL_NO_VERIFY: "true"
and updating the offline documentation for Dependency Scanning.
Documentation
-
update offline documentation for gemnasium
Availability & Testing
-
test in a gemnasium
test project (e.g.tests/go-modules
) withgemnasium-db
at a host with self-signed certificates
What does success look like, and how can we measure that?
Users will be able to invoke the gemnasium
analyzer without having to use GIT_SSL_NO_VERIFY
Is this a cross-stage feature?
No.