GoSec is failing on Workhorse
Summary
Workhorse has moved to the Gitlab project, and since then, it seems gosec has been failing.
Steps to reproduce
- Run a branch pipeline in gitlab-org/gitlab
- Gosec will run, but exit with a code 1, and no report generated.
Example Project
https://gitlab.com/gitlab-org/gitlab/-/jobs/1329269575#L49
What is the current bug behavior?
GoSec fails and doesn't report anything.
What is the expected correct behavior?
GoSec succeeds, and report findings.
Relevant logs and/or screenshots
Tried to reproduce locally, with the latest gosec
analyzer version:
logs trace (with `SAST_DISABLE_BABEL` set to `debug`)
[INFO] [Gosec] [2021-06-14T18:27:07Z] ▶ GitLab Gosec analyzer v3.0.1
[INFO] [Gosec] [2021-06-14T18:27:07Z] ▶ Detecting project
[INFO] [Gosec] [2021-06-14T18:27:08Z] ▶ Found project in /tmp/app/workhorse
[INFO] [Gosec] [2021-06-14T18:27:08Z] ▶ Running analyzer
[DEBU] [Gosec] [2021-06-14T18:27:08Z] ▶ custom rulesets not enabled
[INFO] [Gosec] [2021-06-14T18:27:08Z] ▶ Copying modules into path...
[DEBU] [Gosec] [2021-06-14T18:31:04Z] ▶ /bin/cp -r /tmp/app /go/src/app
[INFO] [Gosec] [2021-06-14T18:31:04Z] ▶ Fetching dependencies...
[DEBU] [Gosec] [2021-06-14T18:36:18Z] ▶ /usr/local/go/bin/go get ./...
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/config" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/config (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/config (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/helper" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/helper (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/helper (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/queueing" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/queueing (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/queueing (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/redis" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/redis (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/redis (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/secret" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/secret (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/secret (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-resize-image/png" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-resize-image/png (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-resize-image/png (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/zipartifacts" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/zipartifacts (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/zipartifacts (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata/limit" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata/limit (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/cmd/gitlab-zip-metadata/limit (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/log" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/log (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/log (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/api" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/api (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/api (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/filestore" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/filestore (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/filestore (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/senddata" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/senddata (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/senddata (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/upload" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upload (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upload (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/objectstore" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/objectstore (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/objectstore (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/utils/svg" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/utils/svg (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/utils/svg (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/headers" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/headers (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/headers (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/senddata/contentprocessor" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/senddata/contentprocessor (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/senddata/contentprocessor (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/urlprefix" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/urlprefix (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/urlprefix (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/lsif_transformer/parser" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/lsif_transformer/parser (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/lsif_transformer/parser (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/upload/exif" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upload/exif (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upload/exif (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/artifacts" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/artifacts (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/artifacts (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/builds" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/builds (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/builds (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/channel" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/channel (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/channel (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/git" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/git (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/git (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/imageresizer" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/imageresizer (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/imageresizer (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/lfs" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/lfs (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/lfs (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/proxy" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/proxy (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/proxy (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/rejectmethods" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/rejectmethods (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/rejectmethods (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/sendfile" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/sendfile (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/sendfile (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/sendurl" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/sendurl (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/sendurl (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/staticpages" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/staticpages (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/staticpages (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream/roundtripper" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream/roundtripper (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/upstream/roundtripper (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/badgateway" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/badgateway (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/badgateway (from $GOPATH)
cannot find package "gitlab.com/gitlab-org/gitlab-workhorse/internal/httprs" in any of:
/usr/local/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/httprs (from $GOROOT)
/go/src/gitlab.com/gitlab-org/gitlab-workhorse/internal/httprs (from $GOPATH)
exit status 1
(running with registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:support-go-1-16
return the same output).
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
/cc @twoodham @tmccaslin for prioritization
/thanks to @theoretick for his help on this topic.