semgrep-sast doesn't find a project even though it exists (and works locally)
Summary
I'm trying to run the our security scanners on the owasp webgoat project. It's a Java project, but also includes some JavaScript components. Including the SAST scanners successfully creates the spotbugs-sast and eslint-sast jobs and creates a report file. However it also creates a semgrep-sast job which fails with "No match in /builds/svij-demos/WebGoat", but GitLab recognises successful run with "Job succeeded". Running it manually successfully works. Defining SEARCH_MAX_DEPTH=8 doesn't change anything in the result.
Steps to reproduce
- Run SAST scanning on the owasp webgoat project
- check if
semgrep-sastruns succesfully
Example Project
I've created a pipeline and uploaded the project to this place: https://gitlab.com/svij-demos/WebGoat
Pipeline-Job for semgrep-sast: https://gitlab.com/svij-demos/WebGoat/-/jobs/1362343321
What is the current bug behavior?
Running on GitLab.com it states: "No match in […]"
[INFO] [Semgrep] [2021-06-21T05:28:03Z] ▶ GitLab Semgrep analyzer v2.8.0
[INFO] [Semgrep] [2021-06-21T05:28:03Z] ▶ Detecting project
[WARN] [Semgrep] [2021-06-21T05:28:03Z] ▶ No match in /builds/svij-demos/WebGoat
Uploading artifacts for successful job
00:01
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files
ERROR: No files to upload
Cleaning up file based variables
00:01
Job succeededWhat is the expected correct behavior?
Running it locally the analyzer successfully scans the project:
$ docker run -it --rm --volume="$PWD":/tmp/app --env SEARCH_MAX_DEPTH=8 --env CI_PROJECT_DIR=/tmp/app --env SECURE_LOG_LEVEL=debug registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:2
[INFO] [Semgrep] [2021-06-21T19:45:01Z] ▶ GitLab Semgrep analyzer v2.8.1
[INFO] [Semgrep] [2021-06-21T19:45:01Z] ▶ Detecting project
[INFO] [Semgrep] [2021-06-21T19:45:02Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [Semgrep] [2021-06-21T19:45:02Z] ▶ Running analyzer
[DEBU] [Semgrep] [2021-06-21T19:45:02Z] ▶ custom rulesets not enabled
[DEBU] [Semgrep] [2021-06-21T19:45:02Z] ▶ /usr/local/bin/semgrep -f /rules -o /tmp/app/semgrep.sarif --sarif --no-rewrite-rule-ids --strict --no-git-ignore --enable-metrics /tmp/app
[DEBU] [Semgrep] [2021-06-21T19:46:02Z] ▶ /usr/local/bin/semgrep -f /rules -o /tmp/app/semgrep.sarif --sarif --no-rewrite-rule-ids --strict --no-git-ignore --enable-metrics /tmp/app
A new version of Semgrep is available. Please see https://github.com/returntocorp/semgrep#upgrading for more information.
running 93 rules...
...
[INFO] [Semgrep] [2021-06-21T19:46:02Z] ▶ Creating report
[DEBU] [Semgrep] [2021-06-21T19:46:02Z] ▶ Converting report with the root path: /tmp/app
[DEBU] [Semgrep] [2021-06-21T19:46:02Z] ▶ custom rulesets not enabledRelevant logs and/or screenshots
see above
Output of checks
This bug happens on GitLab.com