Generating cache metadata "only one file can be sent as raw" error when using artifact attestation with security scanning
Status update (2023-01-19)
- Issue closed. The problem was that report uploads were failing when metadata generation was enabled. This was fixed in (gitlab-runner#29151 (closed)) by treating these as unsupported types for metadata generation, allowing report to function correctly again.
Summary
Pipeline fails on security scanning jobs such as SAST or IaC when the artifact attestation feature is added. It fails to generate artifact metadata.
Removing artifact attestation in the gitlab-ci.yml allows the pipeline to pass.
Steps to reproduce
- Update GitLab Runner to 15.1
- Create a
gitlab-ci.yml
file with a simple job - Add security scanning (IaC or SAST will do)
- Add artifact attestation feature as a variable:
variables:
SECURE_LOG_LEVEL: "debug"
RUNNER_GENERATE_ARTIFACTS_METADATA: "true"
- Run the pipeline.
Example Project
stages:
- build
- test
variables:
SECURE_LOG_LEVEL: "debug"
RUNNER_GENERATE_ARTIFACTS_METADATA: "true"
build-code-job:
stage: build
script:
- echo "Testing if artifacts metadata is generated:"
artifacts:
paths:
- data.txt
include:
- template: Security/SAST-IaC.latest.gitlab-ci.yml
artifacts:
paths:
- data2.txt
What is the current bug behavior?
When using artifact attestation with any security scanning such as SAST or IaC the artifact attestation fails to generate artifact metadata with the error below:
only one file can be sent as raw
The pipeline fails on the security scanning jobs.
Pipelines with other jobs without scanning analyzers will pass.
What is the expected correct behavior?
Successfully ran jobs, downloaded artifacts and generated artifact attestation (metadata)
Uploading artifacts...
data.txt: found 1 matching files and directories
Generating cache metadata
Uploading artifacts as "archive" to coordinator... 201 Created id= responseStatus=201 Created token=
Cleaning up project directory and file based variables
00:01
Job succeeded
Relevant logs and/or screenshots
Uploading artifacts for successful job
00:03
Uploading artifacts...
gl-sast-report.json: found 1 matching files and directories
Generating cache metadata
ERROR: Uploading artifacts as "sast" to coordinator... error error=couldn't execute POST against ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.net/api/v4/jobs/88/artifacts?artifact_format=raw&artifact_type=sast: Post "▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.net/api/v4/jobs/88/artifacts?artifact_format=raw&artifact_type=sast": only one file can be sent as raw id=88 token=FdRJu1MA
WARNING: Retrying... context=artifacts-uploader error=invalid argument
Output of checks
Results of GitLab environment info
The artifact attestation feature is available on GitLab Runner 15.1
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)