SAST reports no vulnerabilities for .NET projects
Summary
When using the SAST template, SAST no longer reports vulnerabilities when scanning .NET projects. The root cause of this bug was introduced in security-code-scan v2.3.0, but the bug started to impact all .NET projects when setting a default value for SAST_EXCLUDED_PATHS
, in GitLab %13.1.
Further details
In the implementation of security-code-scan, the findProjects function skips any path that matches an excluded path set in SAST_EXCLUDED_PATHS
. Note that it checks the absolute paths, not the relative paths. This behavior was introduced in gitlab-org/security-products/analyzers/security-code-scan!21 (merged) when adding support for .NET Core multiprojects. This has been published as security-code-scan v2.3.0.
Later on in GitLab %13.1, the default value for SAST_EXCLUDED_PATHS
was set to spec, test, tests, tmp
. See !34076 (merged). Unfortunately, this pattern matches the directory where the scanned project is mounted during the scan.
When running SAST in Docker-in-Docker (DinD) mode, the scanned repository is mounted at /tmp/app
. See orchestrator/analyzer.go. When DinD is disabled, as this is now the case by default, GitLab CI is responsible for making the repository available to the CI job, and setting CI_PROJECT_DIR
accordingly.
See #222789 (comment 366223675)
Steps to reproduce
- create a .NET project
- enable SAST by including the SAST template
- trigger a pipeline
Example Project
csharp-dotnetcore-multiproject, a test project that is used for QA.
What is the current bug behavior?
SAST no longer reports vulnerabilities.
What is the expected correct behavior?
SAST reports vulnerabilities.
Relevant logs and/or screenshots
SAST should report vulnerabilities for csharp-dotnetcore-multiproject but this is no longer the case. See job output:
Found project in /tmp/app
It previously reported vulnerabilities in WebApp/Controllers/HomeController.cs
and WebLib/GetRandom.cs
. See job output:
Found project in /tmp/app
Found project in /tmp/app/WebApp
Found project in /tmp/app/WebLib
+------------------------------------------------------------------------------------------------+
| Severity | Tool | Location |
+------------------------------------------------------------------------------------------------+
| | Security Code Scan | WebApp/Controllers/HomeController.cs:52 |
| |
| Path traversal: injection possible in 1st argument passed to 'System.IO.File.ReadAllBytes' |
+------------------------------------------------------------------------------------------------+
| | Security Code Scan | WebLib/GetRandom.cs:11 |
| |
| Weak random generator |
+------------------------------------------------------------------------------------------------+
Possible fixes
The fix is to change the findProjects function so that it translates absolute paths to relative paths before matching against SAST_EXCLUDED_PATHS
.
A workaround is to force SAST_EXCLUDED_PATHS
to an empty string, or to any string that doesn't match /tmp/app
. See gitlab-org/security-products/analyzers/security-code-scan!35 (closed) and resulting output for the sast
job.