Container Scanning no longer reports analyzer version
Summary
Version 3.0.0 of container scanning which was updated in Change base image from Alpine to CentOS no longer reports the analyzer version in the log output.
Steps to reproduce
$ docker run registry.gitlab.com/gitlab-org/security-products/analyzers/klar:3 /analyzer --version
[INFO] [klar] [2020-11-05T03:19:04Z] ▶ GitLab klar analyzer v
Incorrect Usage. flag provided but not defined: -version
[FATA] [klar] [2020-11-05T03:19:04Z] ▶ flag provided but not defined: -versionExample Project
Last working check analyzer version job:
Success: Analyzer binary version '3.0.0' matches CHANGELOG.md version '3.0.0'Current check analyzer version job:
[INFO] [klar] [2020-11-04T18:18:33Z] ▶ GitLab klar analyzer v
[FATA] [klar] [2020-11-04T18:18:33Z] ▶ flag provided but not defined: -version
Warning: analyzer binary does not have a version configured. Please update the analyzer binary version to match the most recent version in CHANGELOG.md.Note: the reason why the the above test results in a success status instead of a failure is because when originally implementing Add version check job, one of the concerns was:
If the
app.Versionvalue is not configured, for example gemnasium doesn't define this value, thenversion-checkwill output a warning and return a 0 status code. This will allow us to immediately use thisversion-checkscript in all analyzer projects without altering existing behaviour.
So the check analyzer version job will only fail if the reported version doesn't match the one in the CHANGELOG.md - it will not fail if no version is reported at all, which is the current bug behaviour.
What is the current bug behavior?
Container Scanning version value is not output:
docker run registry.gitlab.com/gitlab-org/security-products/analyzers/klar:3 /analyzer --version
[FATA] [klar] [2020-11-05T03:19:04Z] ▶ flag provided but not defined: -versionWhat is the expected correct behavior?
Container Scanning version value should be output:
docker run registry.gitlab.com/gitlab-org/security-products/analyzers/klar:2 /analyzer --version
analyzer version 2.6.0
[INFO] [klar] [2020-11-05T03:29:42Z] ▶ GitLab klar analyzer v2.6.0Possible fixes
The script/build file sets the AnalyzerVersion var from script/version which reads the version from the CHANGELOG.md file, however, the CHANGELOG.md file is not available, because **/*.md has been added to the .dockerignore file. The fix is to remove **/*.md from .dockerignore.
/cc @gonzoyumo @thiagocsf