DAST fails with private, Kubernetes runners
Summary
When using on a runner installed in a private Kubernetes cluster, the dast
job is failing with the following message:
2020-06-11 20:58:32,288 Failed to run docker - is it on your path?
2020-06-11 20:58:32,288 Failed to start ZAP in docker :(
cp: cannot stat '/zap/wrk/*': No such file or directory
Steps to reproduce
- Create a new project
- Configure and attach a Kubernetes cluster
- Run auto-devops on the new repository
Example Project
- https://gitlab.com/gitlab-com/alliances/aws/sandbox-projects/bottlerocket-support-auto-devops/
- Failing job: https://gitlab.com/gitlab-com/alliances/aws/sandbox-projects/bottlerocket-support-auto-devops/-/jobs/592050433#L32
What is the current bug behavior?
Job is failing with:
[snip]
$ /analyze
2020-06-11 20:58:32,191 using Python 3.6.9 (default, Nov 7 2019, 10:44:02) [GCC 8.3.0]
2020-06-11 20:58:32,191 waiting for http://dast-19305271-dast-default.bottlerocket.gl-demo.io to be available
2020-06-11 20:58:32,191 requesting access to http://dast-19305271-dast-default.bottlerocket.gl-demo.io
2020-06-11 20:58:32,220 starting scan
2020-06-11 20:58:32,285 A newer version of python_owasp_zap_v2.4 is available. Please run 'pip install -U python_owasp_zap_v2.4' to update to the latest version.
2020-06-11 20:58:32,286 Script params: [('-t', 'http://dast-19305271-dast-default.bottlerocket.gl-demo.io'), ('-m', 1), ('-z', '-config selenium.firefoxDriver=/usr/bin/geckodriver -silent')]
2020-06-11 20:58:32,288 Failed to run docker - is it on your path?
2020-06-11 20:58:32,288 Failed to start ZAP in docker :(
cp: cannot stat '/zap/wrk/*': No such file or directory
[snip]
What is the expected correct behavior?
DAST runs correctly, like https://gitlab.com/jkrooswyk/joel-springsample/-/jobs/568838630, using a shared runner on gitlab.com.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Possible fixes
The error seems to come from this test which looks for a /.dockerenv
file:
def running_in_docker():
return os.path.exists('/.dockerenv')
which leads to this line in ZAP: https://github.com/zaproxy/zaproxy/blob/5aa172b3b4fc24724d9ed84414233efbc46eb580/docker/zap-baseline.py#L298 where the script tries to start docker with the zap image.
It seems that this file is missing for some reason when running in these conditions, we need to find out why.
/cc @sethgitlab @derekferguson for prioritization /cc @khair1 for reporting this problem.