Skip to content

Container Scanning Docker image doesn't execute analyzer if run without arguments

Summary

Version 3.0.0 of container scanning which was updated in Change base image from Alpine to CentOS returns the following error if the Docker image is run without arguments:

[dumb-init] /opt/gitlab/start.sh: No such file or directory

Steps to reproduce

docker run registry.gitlab.com/gitlab-org/security-products/analyzers/klar:3
[dumb-init] /opt/gitlab/start.sh: No such file or directory

What is the current bug behavior?

Container Scanning outputs an error message if run without arguments:

docker run \
  --interactive --rm \
  --volume "$PWD":/tmp/app \
  -e CI_PROJECT_DIR=/tmp/app \
  -e CLAIR_DB_CONNECTION_STRING="postgresql://postgres:password@gitlab.adamc:5432/postgres?sslmode=disable&statement_timeout=60000" \
  -e DOCKER_IMAGE=registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e \
  registry.gitlab.com/gitlab-org/security-products/analyzers/klar:3

[dumb-init] /opt/gitlab/start.sh: No such file or directory

What is the expected correct behavior?

Container Scanning should automatically execute /analyzer run if the image is run without arguments:

docker run \
  --interactive --rm \
  --volume "$PWD":/tmp/app \
  -e CI_PROJECT_DIR=/tmp/app \
  -e CLAIR_DB_CONNECTION_STRING="postgresql://postgres:password@gitlab.adamc:5432/postgres?sslmode=disable&statement_timeout=60000" \
  -e DOCKER_IMAGE=registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e \
  registry.gitlab.com/gitlab-org/security-products/analyzers/klar:2

[INFO] [klar] [2020-11-05T04:31:54Z] ▶ GitLab klar analyzer v2.6.0
[INFO] [klar] [2020-11-05T04:31:56Z] ▶ Scanning container from registry 'registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e' for vulnerabilities with severity level 'Unknown' or higher with klar '2.4.0' and clair 'v2.1.4'

Possible fixes

The reason for this issue is because Change base image from Alpine to CentOS modified the CMD directive in the Dockerfile from:

CMD ["/usr/bin/dumb-init", "/container-scanner/start.sh"]

To

CMD ["/usr/bin/init", "/opt/gitlab/start.sh"]

But /opt/gitlab/start.sh doesn't exist. Also, the install.sh script that's supposed to symlink /container-scanner/start.sh to /opt/gitlab/script/start.sh doesn't work, because /opt/gitlab/script/start.sh also doesn't exist.

The fix is to ensure that the container-scanner/start.sh script is copied to the Docker image and referenced correctly.

In addition to the above, the error message that's currently generated is the following:

[dumb-init] /opt/gitlab/start.sh: No such file or directory

This is confusing, because the /usr/bin/dumb-init command was renamed to simply /usr/bin/init, so it's not obvious why dumb-init is complaining when the command is called init

Impact

  1. The documentation for Running the standalone container scanning tool is now incorrect, since it's not possible to run the Docker container without specifying the argument /analyzer run.
  2. Any customers who are using the Docker image directly to perform a scan and are not specifying the argument /analyzer run will encounter an error
  3. Any customers who are using an older version of the Container-Scanning.gitlab-ci.yml template file and have overridden CS_MAJOR_VERSION to latest will encounter a failure.

/cc @thiagocsf @gonzoyumo