GitLab Semgrep-based Analyzer (FIPS) fails to run on the latest Upstream Scanner (v1.25.0+)
Summary
Semgrep Analyzer running on FIPS container fails to run on the Upstream Scanner version v1.25.0
on or later. On running with --debug
CLI option produces the following error:
Fatal error: exception (Invalid_argument
"failed to load trust anchors: ca-certs: empty trust anchors.\
\nPlease report an issue at https://github.com/mirage/ca-certs, including:\
\n- the output of uname -s\
\n- the distribution you use\
\n- the location of default trust anchors (if known)\
\n")
Raised at Stdlib.invalid_arg in file "stdlib.ml", line 30, characters 20-45
Called from Dns_client_lwt.Transport.decode_resolv_conf in file "lwt/client/dns_client_lwt.ml", line 178, characters 24-40
Called from Dns_client_lwt.Transport.resolv_conf in file "lwt/client/dns_client_lwt.ml", line 199, characters 8-33
Called from Dns_client_lwt.Transport.create in file "lwt/client/dns_client_lwt.ml", line 251, characters 14-28
Called from Dns_client.Make.create in file "client/dns_client.ml", line 227, characters 18-62
Called from Happy_eyeballs_lwt.create in file "lwt/happy_eyeballs_lwt.ml", line 156, characters 7-40
Called from Http_helpers.happy_eyeballs in file "src/osemgrep/networking/Http_helpers.ml", line 13, characters 21-49
Steps to reproduce
- Set
ARG_SCANNER_VERSION
variable to1.25.0
in theDockerfile.fips
and generate a docker image. - Run the generated image against any test repository to produce the above-mentioned error.
Example Project
- Any Test Project; can even be one of the test fixtures present in the Semgrep repository(
qa/fixtures
).
What is the current bug behavior?
Throws the following error when the analyzer is ran against a target source code
Fatal error: exception (Invalid_argument
"failed to load trust anchors: ca-certs: empty trust anchors.\
\nPlease report an issue at https://github.com/mirage/ca-certs, including:\
\n- the output of uname -s\
\n- the distribution you use\
\n- the location of default trust anchors (if known)\
\n")
Raised at Stdlib.invalid_arg in file "stdlib.ml", line 30, characters 20-45
Called from Dns_client_lwt.Transport.decode_resolv_conf in file "lwt/client/dns_client_lwt.ml", line 178, characters 24-40
Called from Dns_client_lwt.Transport.resolv_conf in file "lwt/client/dns_client_lwt.ml", line 199, characters 8-33
Called from Dns_client_lwt.Transport.create in file "lwt/client/dns_client_lwt.ml", line 251, characters 14-28
Called from Dns_client.Make.create in file "client/dns_client.ml", line 227, characters 18-62
Called from Happy_eyeballs_lwt.create in file "lwt/happy_eyeballs_lwt.ml", line 156, characters 7-40
Called from Http_helpers.happy_eyeballs in file "src/osemgrep/networking/Http_helpers.ml", line 13, characters 21-49
What is the expected correct behavior?
Runs as expected