Project specific asdf version should not conflict with SAST image asdf versions
Summary
The SAST spotbug image used in the SAST gitlab pipeline declares a Java version using asdf here. This .tool-versions file is then placed under the /root directory in the docker image. When the analyzer is run for a project checked out as part of a pipeline, this may conflict with the project specific .tools-versions java version as the analyzer is run in the directory of the checked out project. The pipeline or the image itself should account for this as the project's Java versions should not be beholden to the java version the spotbug image expects.
Steps to reproduce
- Create a project with a .tool-version that declares a java version
- Run the SAST pipeline
Example Project
What is the current bug behavior?
When the analyzer is run for a project checked out as part of a pipeline, this may conflict with the project specific .tools-versions java version as the analyzer is run in the directory of the checked out project.
What is the expected correct behavior?
The pipeline or the image itself should account for this as the project's Java versions should not be beholden to the java version the spotbug image expects.
Relevant logs and/or screenshots
Resolving secrets
00:00
Preparing the "docker+machine" executor
00:49
Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2 ...
Using docker image sha256:acc3e9767d6979e3ef9aefe46d43094eb31b2ced625ccbe482b4a08d34cab639 for registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs@sha256:e8fc2099b17670e14e1fc024ca0413fd0dd7814eca802c4054293f99f585a9e4 ...
Preparing environment
00:07
Running on runner-j69qxpbf-project-22386562-concurrent-0 via runner-j69qxpbf-runner-1607722647-d148db37...
Getting source from Git repository
00:02
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/....
Created fresh repository.
Checking out 81151eab as master...
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:01
$ /analyzer run
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ GitLab Find Security Bugs analyzer v2.14.1
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ Detecting project
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ Found project in /builds/heb-engineering/teams/customer-experience-engineering/chiltepin-squad/heb-ecom-delivery-availability/das-admin-api
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ Running analyzer
[DEBU] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ /bin/bash -c source /root/.bashrc && switch_to java 8
No preset version installed for command java
Please install a version by running one of the following:
asdf install java openjdk-11.0.2
or add one of the following versions in your config file at /builds/...
java adoptopenjdk-8.0.275+1
java adoptopenjdk-11.0.9+101
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ Found Maven project in /builds/...
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ Found 1 analyzable projects.
[INFO] [Find Security Bugs] [2020-12-11T21:40:26Z] ▶ Building Maven project at /builds/....
[DEBU] [Find Security Bugs] [2020-12-11T21:40:27Z] ▶ /opt/asdf/shims/mvn -Dmaven.repo.local=/root/.m2/repository --batch-mode -DskipTests=true install
No preset version installed for command java
Please install a version by running one of the following:
asdf install java openjdk-11.0.2
or add one of the following versions in your config file at ...
java adoptopenjdk-8.0.275+1
java adoptopenjdk-11.0.9+101
[ERRO] [Find Security Bugs] [2020-12-11T21:40:27Z] ▶ Project couldn't be built: exit status 126
[FATA] [Find Security Bugs] [2020-12-11T21:40:27Z] ▶ exit status 126
Uploading artifacts for failed job
00:00
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
Cleaning up file based variables
00:01
ERROR: Job failed: exit code
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Workarounds
- add a before_script delete the .tool_versions of the project (This is our current work around)
- add a before_script to run asdf install (pathing and installation of asdf on the spotbug image makes this a bit tedious/not obvious)
Possible Fixes
- Specify
ASDF_DEFAULT_TOOL_VERSIONS_FILENAME
as alternate path for packaged.tool-versions
within container.