Analyzers bug with Custom CA on OpenShift invalid permissions

Summary

I'll list a group of errors that are related.

ESLint

For eslint, /etc/ssl/certs/ca-certificates.crt is owned by root:node. But because OpenShift uses random userID we are only in root group.

This will trigger the error open /etc/ssl/certs/ca-certificates.crt: permission denied in the job.

Semgrep

For semgrep, /etc/ssl/certs/ca-certificates.crt is owned by root:root, but -rw-r--r--. The Dockerfile still refer to old path https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/Dockerfile#L33 the error open /etc/ssl/certs/ca-certificates.crt: permission denied in the job.

SpotBugs

For spotbugs, /etc/ssl/certs/ca-certificates.crt is owned by root:root, but -rw-r--r--, and /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem does not exist. The analyser use old path gitlab-org/security-products/analyzers/common!154 (merged) the error open /etc/ssl/certs/ca-certificates.crt: permission denied in the job.

Gemnasium-Maven split to #350640 (closed)

Steps to reproduce

Use OpenShift to run any of the analyzers.

What is the current bug behavior?

The scans return open /etc/ssl/certs/ca-certificates.crt: permission denied.

What is the expected correct behavior?

The scans should run as normal.

Related ticket: https://gitlab.zendesk.com/agent/tickets/256153

Edited by Connor Gilbert