Skip to content
GitLab Next
Closed
Created by David Nkanga@david.nkanga

Gitlab SAST pipeline can't find "gl-sast-report.json" and does not run other jobs in SAST template

Summary

I would like to use Gitlab’s SAST features to test an Android application so what I have done is included the SAST template in the CI file.

When the CI pipline executes two jobs are created in the test stage, brakerman-sast and secrets-sast.

The secrets-sast stage executes without any problems and uploads a gl-sast-report.json artifact. However, the brakeman-test stage finishes with an error stating that it can't find gl-sast-report.json.

No other sast jobs are executed which is odd because the template contains this line:

SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex"

Steps to reproduce

include:
template: SAST.gitlab-ci.yml

variables:
SAST_DISABLE_DIND: "true"

stages:
  - compile
  - test
  - publish

What is the current bug behavior?

The secrets-sast job executes with no problems an uploads gl-sast-report.json

The brakeman-sast job executes with an error stating that it can't find gl-sast-report.json

No other sast jobs are executed such as: spotbugs-sast and security-code-scan-sast.

What is the expected correct behavior?

brakeman-sast should find gl-sast-report.json.

Other SAST jobs should be executed, but I currently only see secrets and brakeman-sast.

Relevant logs and/or screenshots

secrets-sast

1 Running with gitlab-runner 12.4.1 (05161b14)
2   on Kubernetes Runner <REDACTED> gitlab-runner-0-578f8964fb-l4lgb oqX64xJV
3
Using Kubernetes namespace: iliutl-gitlab
00:00
4 Using Kubernetes executor with image $SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_MAJOR_VERSION ...
6
Waiting for pod iliutl-gitlab/runner-oqx64xjv-project-13469380-concurrent-18zhk5 to be running, status is Pending
00:03
7 Running on runner-oqx64xjv-project-13469380-concurrent-18zhk5 via gitlab-runner-0-578f8964fb-l4lgb...
9
Fetching changes with git depth set to 50...
00:02
10 Initialized empty Git repository in /builds/<REDACTED>/android-client/.git/
11 Created fresh repository.
12 From https://gitlab.com/<REDACTED>/android-client
13  * [new ref]         refs/pipelines/95987761 -> refs/pipelines/95987761
14  * [new branch]      feature/ZO-27-DN        -> origin/feature/ZO-27-DN
15 Checking out db00e733 as feature/ZO-27-DN...
16 Skipping Git submodules setup
18
Checking cache for 13469380-1...
00:01
19 Downloading cache.zip from https://storage.googleapis.com/<REDACTED>-runner/project/13469380/13469380-1 
20 Successfully extracted cache
23
$ /analyzer run
00:04
26
Creating cache 13469380-1...
00:00
27 .gradle/: found 45 matching files                  
28 Archive is up to date!                             
29 Created cache
31
Uploading artifacts...
00:02
32 gl-sast-report.json: found 1 matching files        
33 Uploading artifacts to coordinator... ok            id=351043031 responseStatus=201 Created token=11ubRsGb
35 Job succeeded

brakeman-sast

1 Running with gitlab-runner 12.4.1 (05161b14)
2   on Kubernetes Runner <REDACTED> gitlab-runner-0-578f8964fb-l4lgb oqX64xJV
3
Using Kubernetes namespace: iliutl-gitlab
00:00
4 Using Kubernetes executor with image $SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_MAJOR_VERSION ...
6
Waiting for pod iliutl-gitlab/runner-oqx64xjv-project-13469380-concurrent-0djj8p to be running, status is Pending
00:03
7 Running on runner-oqx64xjv-project-13469380-concurrent-0djj8p via gitlab-runner-0-578f8964fb-l4lgb...
9
Fetching changes with git depth set to 50...
00:02
10 Initialized empty Git repository in /builds/<REDACTED>/android-client/.git/
11 Created fresh repository.
12 From https://gitlab.com/<REDACTED>/android-client
13  * [new ref]         refs/pipelines/95987761 -> refs/pipelines/95987761
14  * [new branch]      feature/ZO-27-DN        -> origin/feature/ZO-27-DN
15 Checking out db00e733 as feature/ZO-27-DN...
16 Skipping Git submodules setup
18
Checking cache for 13469380-1...
00:00
19 Downloading cache.zip from https://storage.googleapis.com/<REDACTED>/project/13469380/13469380-1 
20 Successfully extracted cache
23
$ /analyzer run
00:00
24 No match in /builds/<REDACTED>/android-client
27
Uploading artifacts...
00:00
28 WARNING: gl-sast-report.json: no matching files    
29 ERROR: No files to upload                          
31 ERROR: Job failed: command terminated with exit code 1