You need to sign in or sign up before continuing.
Detection logic for security analyzers is different when Docker in Docker is disabled
Summary
With the option to disable DinD for SAST and Dependency Scanning, we changed the detection logic that triggers the corresponding analyzers.
Steps to reproduce
(How one can reproduce the issue - this is very important)
Example Project
https://gitlab.com/volcan01010/python-dependency-scans/commits/master
What is the current bug behavior?
When Docker in Docker is disabled, some analyzers are not executed under the same conditions
What is the expected correct behavior?
When Docker in Docker is disabled, analyzers are executed under the same conditions. If not, we acknowledge that the discrepancies are acceptable and we document them.
Relevant logs and/or screenshots
See this thread: &971 (comment 250124778)
Possible fixes
Not a fix really but we need to make an exhaustive list of these discrepancies and decide whether or not they are acceptable.
Discrepancies for language detection
Dependency Scanning
| analyzer | current detection | linguist gem | status |
|---|---|---|---|
| bandit-audit | .Gemfile.lock |
.Gemfile.lock + more |
|
| retire.js | package.json |
.js |
|
| gemnasium |
yarn.lock, pip.lock, pipdeptree.json, package-lock.json, yarn.lock, pip.lock, pipdeptree.json, package-lock.json, npm-shrinkwrap.json, maven-dependencies.json, gradle-dependencies.json, ivy-report.xml, Gemfile, Gemfile.lock, gems.locked, composer.lock
|
.py, .php, .php, .aw, .ctp, .fcgi, .inc, .php3, .php4, .php5, .phps, .phpt, .py, .cgi, .fcgi, .gyp, .gypi, .lmi, .py3, .pyde, .pyi, .pyp, .pyt, .pyw, .rpy, .smk, .spec, .tac, .wsgi, .xpy
|
|
| gemnasium-maven |
pom.xml, build.gradle, build.sbt
|
.java |
|
| gemnasium-python |
requirements.txt, requirements.pip, Pipfile, requires.txt, setup.py
|
.py |
Sast
| analyzer | current detection | linguist gem | status |
|---|---|---|---|
| bandit-sast | .py |
.py |
|
| brakeman |
Gemfile.lock + its content with rails gem |
Gemfile.lock + more
|
|
| eslint |
.js, .jsx, .html
|
.js Linguist won't treat .html and .jsx as javascript |
|
| spotbugs | it looks builder files | .java |
|
| flawfinder |
.c, .cc, .cpp, .c++, .cp, .cxx
|
.c, .cc, .cpp, .c++, .cp, .cxx
|
|
| gosec | .go |
.go |
|
| nodejsscan | .js |
.js |
|
| pmd apex |
.package.xml sfdx-project.json
|
.cls |
|
| php extensions |
php, php3, php4, php5, php7, phtml, phar, phpt, phps
|
.php, .aw, .ctp, .fcgi, .inc, .php3, .php4, .php5, .phps, .phpt
|
|
| security code scan |
.csproj, .vbproj
|
.bas, .cls, .frm, .frx, .vba
|
|
| ts lint |
.ts, .tsx
|
.ts |
|
| sobelow | mix.exs |
.ex |
Edited by 🤖 GitLab Bot 🤖