nodejs-scan SAST analyzer prints non-verbose errors even when report generation is successful
What is the issue
The customer is running Node JS Scan on a container in their pipeline. The job succeeds but prints a bunch of errors along the way (see below).
...
$ /analyzer run
[INFO] [NodeJsScan] [2022-05-11T14:37:03Z] ▶ GitLab NodeJsScan analyzer v2.23.1
[INFO] [NodeJsScan] [2022-05-11T14:37:03Z] ▶ Detecting project
[INFO] [NodeJsScan] [2022-05-11T14:37:03Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [NodeJsScan] [2022-05-11T14:37:03Z] ▶ Running analyzer
[DEBU] [NodeJsScan] [2022-05-11T14:37:03Z] ▶ /builds/fortressinfosec/r3/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [NodeJsScan] [2022-05-11T14:57:03Z] ▶ /usr/local/bin/njsscan --config .njsscan --json --output /tmp/njsscan.json /builds/fortressinfosec/r3
[INFO] [NodeJsScan] [2022-05-11T14:57:03Z] ▶ Creating report
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Timeout,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Timeout,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Timeout,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Syntax error,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Syntax error,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Syntax error,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Syntax error,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Syntax error,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Syntax error,
...
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Timeout,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ njsscan error: Timeout,
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ /builds/fortressinfosec/r3/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ Applying report overrides
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ /builds/fortressinfosec/r3/.gitlab/sast-ruleset.toml not found, ruleset support will be disabled.
[DEBU] [NodeJsScan] [2022-05-11T14:57:04Z] ▶ Optimizing JSON Output
Saving cache for successful job 00:39
Creating cache default-protected...
app/node_modules/: found 18114 matching files and directories
app/.meteor/local: found 9507 matching files and directories
WARNING: vendorPortal/node_modules/: no matching files
WARNING: vendorPortal/.meteor/local: no matching files
Uploading cache.zip to https://storage.googleapis.com/gitlab-com-runners-cache/project/29007963/default-protected
Created cache
Uploading artifacts for successful job 00:02
Uploading artifacts...
gl-sast-report.json: found 1 matching files and directories
Uploading artifacts as "sast" to coordinator... 201 Created id=2442804480 responseStatus=201 Created token=wKQf-KND
Cleaning up project directory and file based variables 00:01
Job succeeded
Based on a quick look at the code -- it is caused by the underlying library(njsscan) which we use for scanning. njsscan
generates the analysis report along with any errors found during the process. The analyzer prints out reported errors(if any) and then proceeds with the conversion of the generated report to SAST compatible report.
Relevent issue/ticket links
Edited by Connor Gilbert