SAST eslint with custom CA fails to write gitconfig

Summary

SAST ESlint analyzer fails to write Custom CA bundle to /etc/gitconfig, because it is running as node user without write access to /etc.

Steps to reproduce

create project that will trigger eslint-sast analyser (JavaScript)
include SAST template in .gitlab-ci.yml
add ADDITIONAL_CA_CERT_BUNDLE as multiline variable
run pipeline

Example Project

https://gitlab.com/peter.jakubis/eslint-gitconfig-custom-ca/-/jobs/752331720

What is the current bug behavior?

ESlint-sast job fails.

What is the expected correct behavior?

ESlint-sast properly configures custom CA bundle and analyzes the code.

Relevant logs and/or screenshots

$ /analyzer run
[INFO] [ESLint] [2020-09-23T05:16:20Z] ▶ GitLab ESLint analyzer v2.9.1
[FATA] [ESLint] [2020-09-23T05:16:20Z] ▶ open /etc/gitconfig: permission denied
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files    
ERROR: No files to upload                          
ERROR: Job failed: exit code 1

Output of checks

This bug happens on GitLab.com.
This bug happens on self-hosted 13.3.5 (see below).

Results of GitLab environment info

Expand for output related to GitLab environment info


System information
System:         RedHatEnterpriseServer 7.8
Proxy:          http_proxy: _reducted_
                https_proxy: _reducted_
                no_proxy: _reducted_
Current User:   git
Using RVM:      no
Ruby Version:   2.6.6p146
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.9
Git Version:    2.28.0
Sidekiq Version:5.2.9
Go Version:     unknown

GitLab information
Version:        13.3.5-ee
Revision:       f2cfe35c0b4
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     12.3
URL:            https://_reducted_
HTTP Clone URL: https://_reducted_/some-group/some-project.git
SSH Clone URL:  git@_reducted_:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers: saml

GitLab Shell
Version:        13.6.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 13.6.0 ? ... OK (13.6.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 9 users of 100 limit. Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 13/6 ... yes 13/7 ... yes 15/11 ... yes 15/12 ... yes 23/13 ... yes 25/18 ... yes 15/24 ... yes 23/25 ... yes 13/26 ... yes 13/27 ... yes 15/29 ... yes 15/31 ... yes 27/32 ... yes 23/34 ... yes 15/37 ... yes 13/38 ... yes 15/39 ... yes 15/40 ... yes 13/41 ... yes 27/43 ... yes 27/44 ... yes 27/47 ... yes 23/48 ... yes 23/49 ... yes 23/50 ... yes 23/51 ... yes 23/52 ... yes 23/53 ... yes 23/54 ... yes 23/55 ... yes 23/56 ... yes 27/57 ... yes 13/58 ... yes 27/59 ... yes 23/60 ... yes 23/61 ... yes 55/62 ... yes 27/63 ... yes 59/64 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.6) Git version >= 2.24.0 ? ... yes (2.28.0) Git user has default SSH configuration? ... yes Active users: ... 4 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... no Try fixing it: Please migrate all projects to hashed storage as legacy storage is deprecated in 13.0 and support will be removed in 14.0. For more information see: doc/administration/repository_storage_types.md Elasticsearch version 6.x - 7.x? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished

Possible fixes

The error itself is caused by https://gitlab.com/gitlab-org/security-products/analyzers/common/-/blob/master/cacert/bundle.go#L69, but it is more permission issue.

Edited Sep 23, 2020 by Ghost User