Reports not available as Artifacts: SAST, DAST, Dependency-Scanning
Summary
Reports not available as Artifacts to be used by later jobs: SAST, DAST, Dependency-Scanning
Steps to reproduce
I am attempting to create a small script as part of the DWP's validation workflows, which would read the vulnerability reports generated in DAST, SAST, Container Scanning and Dependency Scanning steps, and fail the build on 'Default' branch if any Medium+ severity issues are still present, to mitigate chance of security issues making it to Production.
However, when doing so, I can only access gl-container-scanning-report.json from the script, none of the other reports make it through even when specified as artifacts and dependencies:
vulnerability-report:
# Stage has been thoroughly tested and verified to work as expected on a node image, so specify that directly here for Java Builds to also use node image on this step
# 16.13 is the latest LTS of Node and 3.14 should fix vulnerability concerns in alpine
image: node:16.13-apline3.14@sha256:7001ff8aabeabe8844ef8e7613afaf723e832e19fba55bf1b9929739c7723ece
stage: vulnerability_report
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
dependencies:
- sast
- dast
- container_scanning
- dependency_scanning
before_script:
- apk update
- apk add jq
script:
- ls
- echo "Checking DAST report"
- |
if [ -r gl-dast-report.json ]; then
echo "Dast Report found and readable, number of vulnerabilities found: "
DAST_Vulnerabilities=$(cat gl-dast-report.json | jq '.vulnerabilities | map(select(.severity == "High" or .severity == "Medium" or .severity == "Critical" or .severity == "Unknown")) | length')
echo "${DAST_Vulnerabilities}"
if [ ${DAST_Vulnerabilities} -gt 0 ]; then
echo "Outstanding DAST vulnerabilities found, these must be fixed in accordance with Engineering Standards before Pipeline will pass"
exit 1
fi
else
echo "No Dast Report found or not readable"
fi
- echo "Checking SAST report"
- |
if [ -r gl-sast-report.json ]; then
echo "Sast Report found and readable, number of vulnerabilities found: "
SAST_Vulnerabilities=$(cat gl-sast-report.json | jq '.vulnerabilities | map(select(.severity == "High" or .severity == "Medium" or .severity == "Critical" or .severity == "Unknown")) | length')
echo "${SAST_Vulnerabilities}"
if [ ${SAST_Vulnerabilities} -gt 0 ]; then
echo "Outstanding SAST vulnerabilities found, these must be fixed in accordance with Engineering Standards before Pipeline will pass"
exit 1
fi
else
echo "No Sast Report found or not readable"
fi
- echo "Checking Container Scan report"
- |
if [ -r gl-container-scanning-report.json ]; then
echo "Container Scanning Report found and readable, number of vulnerabilities found: "
Container_Vulnerabilities=$(cat gl-container-scanning-report.json | jq '.vulnerabilities | map(select(.severity == "High" or .severity == "Medium" or .severity == "Critical" or .severity == "Unknown")) | length')
echo "${Container_Vulnerabilities}"
if [ ${Container_Vulnerabilities} -gt 0 ]; then
echo "Outstanding Container Scan vulnerabilities found, these must be fixed in accordance with Engineering Standards before Pipeline will pass"
exit 1
fi
else
echo "No Container Scanning Report found or not readable"
fi
- echo "Checking Dependency scan report"
- |
if [ -r gl-dependency-scanning-report.json ]; then
echo "Dependency Scanning Report found and readable, number of vulnerabilities found: "
Dependency_Vulnerabilities=$(cat gl-dependency-scanning-report.json | jq '.vulnerabilities | map(select(.severity == "High" or .severity == "Medium" or .severity == "Critical" or .severity == "Unknown")) | length')
echo "${Dependency_Vulnerabilities}"
if [ ${Dependency_Vulnerabilities} -gt 0 ]; then
echo "Outstanding Dependency Scan vulnerabilities found, these must be fixed in accordance with Engineering Standards before Pipeline will pass"
exit 1
fi
else
echo "No Dependency Scanning Report found or not readable"
fidependency_scanning:
stage: static-analysis
artifacts:
expire_in: 1 week
reports:
dependency_scanning: gl-dependency-scanning-report.json
paths: [ gl-dependency-scanning-report.json ] # upload as artifact for use in vulnerability-report step
sast:
stage: static-analysis
artifacts:
expire_in: 1 week
reports:
sast: gl-sast-report.json
paths: [ gl-sast-report.json ] # upload as artifact for use in vulnerability-report step
container_scanning:
stage: dynamic-analysis
artifacts:
expire_in: 1 week
reports:
container_scanning: gl-container-scanning-report.json
paths: [ gl-container-scanning-report.json ] # upload as artifact for use in vulnerability-report step
dast:
stage: dynamic-analysis
artifacts:
expire_in: 1 week
reports:
dast: gl-dast-report.json
paths: [ gl-dast-report.json ]Example Project
n/a
What is the current bug behavior?
Only gl-container-scanning-report.json is available to the vulnerability-report job
What is the expected correct behavior?
gl-dast-report, gl-sast-report and gl-dependency-scanning-report should also be available to the job
Relevant logs and/or screenshots
[Previous report on Stack Overflow)(https://stackoverflow.com/questions/64232630/gitlab-ci-sast-access-to-gl-sast-report-json-artifact-in-subsequent-stage)
Results of GitLab environment info
Running with gitlab-runner 14.3.2 (e0218c92)
on docker-gitlab-runner-75f9db9fd5-c947s bfTr-LzV
Resolving secrets
00:00
Preparing the "kubernetes" executor
00:00
Using Kubernetes namespace: gitlab-runners
Using Kubernetes executor with image node:16.13-apline@sha256:f5079a4f93c8e4fd07ffa93fc95f6484d7f4f40abd126c11810cb282483ab599 ...
Using attach strategy to execute scripts...
Preparing environment
00:12
Waiting for pod gitlab-runners/runner-bftr-lzv-project-29972493-concurrent-0psnkx to be running, status is Pending
Possible fixes
Unknown, looking at the Templates:
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: DAST.gitlab-ci.yml
- template: Container-Scanning.gitlab-ci.yml
I cannot see any obvious reasons as to why only the container-scanning report is available as an artifact