Dependency scanner image missing dependencies for analyzer
Summary
Dependency scanner job gemnasium-dependency_scanning runs and fails to execute analyzer due to missing dependencies for node-sass build: python2 make g++
These dependencies are not present in the Alpine Docker image used for the analyzer. Logs in later section.
Related issue: https://gitlab.com/gitlab-org/gitlab/-/issues/347477
Steps to reproduce
Configure dependency scanning to run on a project containing Javascript code.
Example Project
What is the current bug behavior?
Dependency scanning job fails to execute analyzer as node-sass build fails.
What is the expected correct behavior?
Dependency scanning job should successfully execute analyzer.
Relevant logs and/or screenshots
Executing "step_script" stage of the job script
00:45
Using docker image sha256:28ad30421a8fc2915036ce92b3816c6ea4bda5752bdddeee0fa23131b0ebb384 for registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium@sha256:04883398a9822715ae549cc65e24b7f9194cf75033a7bf4d4737bd0a43c742b9 ...
[...]
$ /analyzer run
[INFO] [Gemnasium] [2021-12-08T04:58:37Z] ▶ GitLab Gemnasium analyzer v2.30.0
[INFO] [Gemnasium] [2021-12-08T04:58:38Z] ▶ Using commit a9cb22876f301ed3269027a52c9b131cdf5bd637
of vulnerability database
[ERRO] [Gemnasium] [2021-12-08T04:59:20Z] ▶ /usr/local/bin/yarn upgrade --ignore-engines acorn
yarn upgrade v1.22.15
[1/4] Resolving packages...
[2/4] Fetching packages...
info fsevents@1.2.9: The platform "linux" is incompatible with this module.
info "fsevents@1.2.9" is an optional dependency and failed compatibility check. Excluding it from installation.
[3/4] Linking dependencies...
warning "@rails/webpacker > postcss-cssnext@3.1.0" has unmet peer dependency "caniuse-lite@^1.0.30000697".
warning " > rails-erb-loader@5.5.2" has unmet peer dependency "webpack@^2.0.0 || >= 3.0.0-rc.0 || ^3.0.0".
warning " > webpack-dev-server@2.11.2" has unmet peer dependency "webpack@^2.2.0 || ^3.0.0".
warning "webpack-dev-server > webpack-dev-middleware@1.12.2" has unmet peer dependency "webpack@^1.0.0 || ^2.0.0 || ^3.0.0".
[4/4] Rebuilding all packages...
error /builds/paradiso-ventures/nexus-web/node_modules/node-sass: Command failed.
Exit code: 1
Command: node scripts/build.js
Arguments:
Directory: /builds/paradiso-ventures/nexus-web/node_modules/node-sass
Output:
Building: /usr/local/bin/node /builds/paradiso-ventures/nexus-web/node_modules/node-gyp/bin/node-gyp.js rebuild --verbose --libsass_ext= --libsass_cflags= --libsass_ldflags= --libsass_library=
[...]
gyp verb command build []
gyp verb build type Release
gyp verb architecture x64
gyp verb node dev dir /tmp/.node-gyp/14.18.2
gyp ERR! build error
gyp ERR! stack Error: not found: make
gyp ERR! stack at getNotFoundError (/builds/paradiso-ventures/nexus-web/node_modules/which/which.js:13:12)
gyp ERR! stack at F (/builds/paradiso-ventures/nexus-web/node_modules/which/which.js:68:19)
gyp ERR! stack at E (/builds/paradiso-ventures/nexus-web/node_modules/which/which.js:80:29)
gyp ERR! stack at /builds/paradiso-ventures/nexus-web/node_modules/which/which.js:89:16
gyp ERR! stack at /builds/paradiso-ventures/nexus-web/node_modules/isexe/index.js:42:5
gyp ERR! stack at /builds/paradiso-ventures/nexus-web/node_modules/isexe/mode.js:8:5
gyp ERR! stack at FSReqCallback.oncomplete (fs.js:191:21)
gyp ERR! System Linux 5.4.109+
gyp ERR! command "/usr/local/bin/node" "/builds/paradiso-ventures/nexus-web/node_modules/node-gyp/bin/node-gyp.js" "rebuild" "--verbose" "--libsass_ext=" "--libsass_cflags=" "--libsass_ldflags=" "--libsass_library="
gyp ERR! cwd /builds/paradiso-ventures/nexus-web/node_modules/node-sass
gyp ERR! node -v v14.18.2
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok
Build failed with error code: 1
info Visit https://yarnpkg.com/en/docs/cli/upgrade for documentation about this command.
[INFO] [Gemnasium] [2021-12-08T04:59:20Z] ▶ exit status 1
[INFO] [Gemnasium] [2021-12-08T04:59:20Z] ▶ Cannot auto-remediate dependency file, not supported: Gemfile.lock
Saving cache for successful job
01:06
[...]
Job succeededOutput of checks
This bug happens on GitLab.com.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
Adding the missing dependencies to the Alpine image should fix this though I'm unclear on the structure of these images and whether this is the best fix.
A workaround to make this job complete successfully that is working for my project currently is to add the dependencies in a before_script. Here we guard this command to ensure it's only executed on an Alpine image as other dependency scanning images do not appear to require these dependencies:
dependency_scanning:
before_script:
# Install dependencies for Gemnasium scanner. Guarding
# with "which" so that this won't cause an error on a non-Alpine
# machine.
- which apk && apk update && apk add python2 make g++