SAST eslint with custom CA fails to write gitconfig
Summary
SAST ESlint analyzer fails to write Custom CA bundle to /etc/gitconfig
, because it is running as node
user without write access to /etc
.
Steps to reproduce
- create project that will trigger
eslint-sast
analyser (JavaScript) - include SAST template in
.gitlab-ci.yml
- add
ADDITIONAL_CA_CERT_BUNDLE
as multiline variable - run pipeline
Example Project
https://gitlab.com/peter.jakubis/eslint-gitconfig-custom-ca/-/jobs/752331720
What is the current bug behavior?
ESlint-sast job fails.
What is the expected correct behavior?
ESlint-sast properly configures custom CA bundle and analyzes the code.
Relevant logs and/or screenshots
$ /analyzer run
[INFO] [ESLint] [2020-09-23T05:16:20Z] ▶ GitLab ESLint analyzer v2.9.1
[FATA] [ESLint] [2020-09-23T05:16:20Z] ▶ open /etc/gitconfig: permission denied
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
ERROR: Job failed: exit code 1
Output of checks
This bug happens on GitLab.com.
This bug happens on self-hosted 13.3.5 (see below).
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: RedHatEnterpriseServer 7.8 Proxy: http_proxy: _reducted_ https_proxy: _reducted_ no_proxy: _reducted_ Current User: git Using RVM: no Ruby Version: 2.6.6p146 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.9 Git Version: 2.28.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.3.5-ee Revision: f2cfe35c0b4 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.3 URL: https://_reducted_ HTTP Clone URL: https://_reducted_/some-group/some-project.git SSH Clone URL: git@_reducted_:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: saml GitLab Shell Version: 13.6.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 13.6.0 ? ... OK (13.6.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 9 users of 100 limit. Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 13/6 ... yes 13/7 ... yes 15/11 ... yes 15/12 ... yes 23/13 ... yes 25/18 ... yes 15/24 ... yes 23/25 ... yes 13/26 ... yes 13/27 ... yes 15/29 ... yes 15/31 ... yes 27/32 ... yes 23/34 ... yes 15/37 ... yes 13/38 ... yes 15/39 ... yes 15/40 ... yes 13/41 ... yes 27/43 ... yes 27/44 ... yes 27/47 ... yes 23/48 ... yes 23/49 ... yes 23/50 ... yes 23/51 ... yes 23/52 ... yes 23/53 ... yes 23/54 ... yes 23/55 ... yes 23/56 ... yes 27/57 ... yes 13/58 ... yes 27/59 ... yes 23/60 ... yes 23/61 ... yes 55/62 ... yes 27/63 ... yes 59/64 ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.6) Git version >= 2.24.0 ? ... yes (2.28.0) Git user has default SSH configuration? ... yes Active users: ... 4 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... no Try fixing it: Please migrate all projects to hashed storage as legacy storage is deprecated in 13.0 and support will be removed in 14.0. For more information see: doc/administration/repository_storage_types.md Elasticsearch version 6.x - 7.x? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished
Possible fixes
The error itself is caused by https://gitlab.com/gitlab-org/security-products/analyzers/common/-/blob/master/cacert/bundle.go#L69, but it is more permission issue.