Analyzers bug with Custom CA on OpenShift invalid permissions
Summary
I'll list a group of errors that are related.
ESLint
For eslint,
/etc/ssl/certs/ca-certificates.crt
is owned byroot:node
. But because OpenShift uses random userID we are only in root group.This will trigger the error
open /etc/ssl/certs/ca-certificates.crt: permission denied
in the job.
Semgrep
For semgrep,
/etc/ssl/certs/ca-certificates.crt
is owned byroot:root
, but -rw-r--r--. The Dockerfile still refer to old path https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/blob/main/Dockerfile#L33 the erroropen /etc/ssl/certs/ca-certificates.crt: permission denied
in the job.
SpotBugs
For spotbugs,
/etc/ssl/certs/ca-certificates.crt
is owned byroot:root
, but -rw-r--r--, and/etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem
does not exist. The analyser use old path gitlab-org/security-products/analyzers/common!154 (merged) the erroropen /etc/ssl/certs/ca-certificates.crt: permission denied
in the job.
Gemnasium-Maven split to #350640 (closed)
Steps to reproduce
Use OpenShift to run any of the analyzers.
What is the current bug behavior?
The scans return open /etc/ssl/certs/ca-certificates.crt: permission denied
.
What is the expected correct behavior?
The scans should run as normal.
Related ticket: https://gitlab.zendesk.com/agent/tickets/256153