Support custom CA certs when the Retire.js analyzer installs npm packages

Problem to solve

Users of npm/yarn projects with a custom repository using a custom CA chain currently need extra configuration to make Dependency Scanning work. They must either:

• set ca or cafile in their .npmrc, or set strict-ssl to false
• set NODE_EXTRA_CA_CERTS in their CI variables

Instead users should be able to add their certificate using ADDITIONAL_CA_CERT_BUNDLE, as documented.

Intended users

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

• Delaney (Development Team Lead)
• Sasha (Software Developer)

Proposal

Make the analyzer set NODE_EXTRA_CA_CERTS to the value of ADDITIONAL_CA_CERT_BUNDLE so that all node tools, such as npm, yarn and the retire.js module, will use the given CA certificate bundle.

Currently, the analyzer might execute npm or yarn, and then executes retire.

With this change users will be able to utilize a private npm repo with a custom CA certificate chain, without modifying the template or turning npm's strict ssl verification to false.

Documentation

• update offline documentation for npm and yarn

Availability & Testing

• test in js-npm and js-yarn test projects with a custom npm repository

What does success look like, and how can we measure that?

Users will be able to pass in a custom npm repo with a self-signed certificate and have the analyzer scan without certificate errors.

Is this a cross-stage feature?

No.

Links / references