git certificate error with ADDITIONAL_CA_CERT_BUNDLE on alpine containers
Summary
Certain Dependency Scanning analyzers fail when supplied with a GEMNASIUM_DB_REMOTE_URL
with a self-signed certificate error. This is related to the system certificate store which git
uses on alpine (potentially other tools too).
Steps to reproduce
Need a self signed git repo. In this case we use: https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemasium-db
- echo -n | openssl s_client -connect gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.crt
- docker run -it --entrypoint /bin/ash -v $PWD:/tmp/foo alpine:latest
- apk add git
- cp /tmp/foo/test.crt /etc/ssl/certs # what common/cacert does
- git clone https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemnasium-db
Example Project
https://gitlab.com/gitlab-org/security-products/tests/go-modules/pipelines/148212925
What is the current bug behavior?
Running analyzer with GEMNASIUM_DB_REMOTE_URL
pointing to repo with self signed cert causes a "SSL certificate problem" error. And the scan fails.
Current workaround:
- add
GIT_SSL_NO_VERIFY=true
to.gitlab-ci.yml
variables section
What is the expected correct behavior?
No error should occur. The scan should succeed.
Possible fixes
Switch common/cacert
from writing cert bundle to /etc/ssl/certs to instead use update-ca-certificates
. Unfortunately this requires a system command.
This sequence works:
- echo -n | openssl s_client -connect gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > test.crt
- docker run -it --entrypoint /bin/ash -v $PWD:/tmp/foo alpine:latest
- apk add git
- cp /tmp/foo/test.crt /usr/local/share/ca-certificates/
- update-ca-certificates
- git clone https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/analyzers/gemnasium-db
Proposal
-
Update the cacert.write function to also explicitly set the http.sslCAInfo file by writing the path to the custom ca-certificate file to the /etc/gitconfig
file:[http] sslCAInfo = /usr/local/share/ca-certificates/test.crt
-
Add a manual test here to verify that the above solution works - job passed here
-
Update the common package for analyzer projects that use git
for pulling vulnerability definitions-
gemnasium -
gemnasium-maven -
gemnasium-python -
bundler-audit
-