git certificate error with ADDITIONAL_CA_CERT_BUNDLE on alpine containers

Summary

Certain Dependency Scanning analyzers fail when supplied with a GEMNASIUM_DB_REMOTE_URL with a self-signed certificate error. This is related to the system certificate store which git uses on alpine (potentially other tools too).

Steps to reproduce

Need a self signed git repo. In this case we use: https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemasium-db

1. echo -n | openssl s_client -connect gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.crt
2. docker run -it --entrypoint /bin/ash -v $PWD:/tmp/foo alpine:latest
3. apk add git
4. cp /tmp/foo/test.crt /etc/ssl/certs # what common/cacert does
5. git clone https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemnasium-db

Example Project

https://gitlab.com/gitlab-org/security-products/tests/go-modules/pipelines/148212925

What is the current bug behavior?

Running analyzer with GEMNASIUM_DB_REMOTE_URL pointing to repo with self signed cert causes a "SSL certificate problem" error. And the scan fails.

Current workaround:

• add GIT_SSL_NO_VERIFY=true to .gitlab-ci.yml variables section

What is the expected correct behavior?

No error should occur. The scan should succeed.

Possible fixes

Switch common/cacert from writing cert bundle to /etc/ssl/certs to instead use update-ca-certificates. Unfortunately this requires a system command.

This sequence works:

1. echo -n | openssl s_client -connect gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.crt
2. docker run -it --entrypoint /bin/ash -v $PWD:/tmp/foo alpine:latest
3. apk add git
4. cp /tmp/foo/test.crt /usr/local/share/ca-certificates/
5. update-ca-certificates
6. git clone https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemnasium-db

Proposal

1. Update the cacert.write function to also explicitly set the http.sslCAInfo file by writing the path to the custom ca-certificate file to the /etc/gitconfig file:

   [http]
           sslCAInfo = /usr/local/share/ca-certificates/test.crt

2. Add a manual test here to verify that the above solution works

   • job passed here

3. Update the common package for analyzer projects that use git for pulling vulnerability definitions

   • gemnasium
     • gitlab-org/security-products/analyzers/gemnasium!97 (merged)
     • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/releases/v2.15.0
   • gemnasium-maven
     • gitlab-org/security-products/analyzers/gemnasium-maven!63 (merged)
     • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/-/releases/v2.17.1
   • gemnasium-python
     • gitlab-org/security-products/analyzers/gemnasium-python!62 (merged)
     • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/-/releases/v2.14.1
   • bundler-audit
     • gitlab-org/security-products/analyzers/bundler-audit!49 (merged)
     • https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit/-/releases/v2.8.3