Test secure analyzers running as non-root user in OpenShift environment

Problem to solve

As part of Engineering discovery: allow secure analyzer docker containers to run as a non-root user to support OpenShift, the following analyzers were updated to run as a non-root user:

• bundler-audit
• gemnasium root
• gemnasium-maven
• gemnasium-python
• retire.js

However, an OpenShift testing instance was not available at the time, so we've been unable to test these analyzers to ensure that they work properly in an OpenShift environment.

The purpose of this issue is to test the above analyzers in an OpenShift environment, which will be possible once Openshift Secure testing has been completed.

Intended users

• Sasha (Software Developer)
• Simone (Software Engineer in Test)

Proposal

Expand for previous proposal

Add automated tests for the following anlayzers to ensure that they function correctly in an OpenShift environment:

• bundler-audit
• gemnasium
• gemnasium-maven
• gemnasium-python
• retire.js

Manually test the following analyzers to ensure that they function correctly in an OpenShift environment:

• bundler-audit
• gemnasium
• gemnasium-maven
• gemnasium-python
• retire.js

How to test:

1. Log in to the Red Hat Open Shift instance using the credentials from the Secure Openshift in the GitLab engineering 1Password vault

2. Go to the MR of the analyzer project to be tested, then from there to the Build QA image MR

3. Open the build tmp image job of the last pipeline, scroll down, and click on one of the links that sets up a new pipeline in one of the supported test project; see details

4. Check the results of the pipeline and ensure it passed. For example, the following job failed for retire.js:

   RUNNING ANALYZER registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js/tmp:f392863c9e5c234322572b33c1f0b5497ae238e6
   
   $ whoami
   1000580000
   
   $ ls -al /etc/gitconfig
   -rw-rw-r--    1 root     gitlab           0 Dec  7 01:57 /etc/gitconfig
   
   $ /analyzer run
   [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ GitLab Retire.js analyzer v2.10.0
   [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Detecting project
   [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Found project in /builds/root/js-npm
   [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Running analyzer
   [INFO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Using python 3
   [DEBU] [Retire.js] [2021-01-18T23:45:36Z] ▶ /usr/local/bin/npm config set python /usr/bin/python3
   npm ERR! code EACCES
   npm ERR! syscall open
   npm ERR! path /.npmrc
   npm ERR! errno -13
   npm ERR! 
   npm ERR! Your cache folder contains root-owned files, due to a bug in
   npm ERR! previous versions of npm which has since been addressed.
   npm ERR! 
   npm ERR! To permanently fix this problem, please run:
   npm ERR!   sudo chown -R 1000580000:0 "/.npm"
   [ERRO] [Retire.js] [2021-01-18T23:45:36Z] ▶ Could not set Python version
   exit status 243

5. If the job fails, figure out why this is happening and fix the corresponding analyzer. See this discussion for more details

What does success look like, and how can we measure that?

All secure analyzers that run as a non-root user can successfully be used in an OpenShift environment.

What is the type of buyer?

Enterprise Edition GitLab Ultimate

Is this a cross-stage feature?

No, this only affects ~"Category:Dependency Scanning"

Links / references

#281816 (closed)

/cc @NicoleSchwartz @gonzoyumo @willmeek