RetireJS execution fails silently in Dependency Scanning
Summary
A customer reported an execution of Dependency Scanning where the Heroku buildpack installation that is required to setup Retire.JS failed. Though, the Dependency Scanning tool silently ignored that error and only reported the Gemnasium results.
Steps to reproduce
Run Dependency Scanning on a npm/yarn project but make heroku buildpack installation fail.
What is the current bug behavior?
Dependency Scanning silently ignore the RetireJS setup error
What is the expected correct behavior?
Dependency Scanning job fails due to the RetireJS setup error
Relevant logs and/or screenshots
Running with gitlab-ci-multi-runner 9.4.2 (6d06f2e)
on Runs for the FI teams (867da506)
Using Docker executor with image briangweber/docker-node:latest ...
Starting service docker:stable-dind ...
Pulling docker image docker:stable-dind ...
Using docker image docker:stable-dind ID=sha256:824b0ae8cb2720f6720011514c89e50c51164a55bc1ae7455957f8c9ba68e782 for docker service...
Waiting for services to be up and running...
Using docker image sha256:c808ffa41ed3610af979706a15f6106fe9ca437410cccd741b0e994cbf0070d4 for predefined container...
Pulling docker image briangweber/docker-node:latest ...
Using docker image briangweber/docker-node:latest ID=sha256:472cff6d00ec5fe8b59be86cd9dcdc8e8c8b26d58d259965fdcf78f84356e627 for build container...
Running on runner-867da506-project-825-concurrent-0 via gitlabrunner001...
Fetching changes...
Removing node_modules/
HEAD is now at 6e7afcc deleted package lock file
Checking out 6e7afcc7 as feature/repo-starter...
Skipping Git submodules setup
Checking cache for default...
Successfully extracted cache
$ export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
$ docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/dependency-scanning:10-8-stable' locally
10-8-stable: Pulling from gitlab-org/security-products/dependency-scanning
3d77ce4481b1: Pulling fs layer
534514c83d69: Pulling fs layer
d562b1c3ac3f: Pulling fs layer
4b85e68dc01d: Pulling fs layer
52134d825d3e: Pulling fs layer
f189486073d4: Pulling fs layer
a9c03bc9ef3b: Pulling fs layer
7b64a8f374f8: Pulling fs layer
a175c54c04e6: Pulling fs layer
916bdfc23252: Pulling fs layer
31a1951e1f37: Pulling fs layer
4b85e68dc01d: Waiting
52134d825d3e: Waiting
f189486073d4: Waiting
a9c03bc9ef3b: Waiting
7b64a8f374f8: Waiting
a175c54c04e6: Waiting
916bdfc23252: Waiting
31a1951e1f37: Waiting
534514c83d69: Verifying Checksum
534514c83d69: Download complete
d562b1c3ac3f: Verifying Checksum
d562b1c3ac3f: Download complete
52134d825d3e: Verifying Checksum
52134d825d3e: Download complete
3d77ce4481b1: Verifying Checksum
3d77ce4481b1: Download complete
a9c03bc9ef3b: Verifying Checksum
a9c03bc9ef3b: Download complete
7b64a8f374f8: Verifying Checksum
7b64a8f374f8: Download complete
3d77ce4481b1: Pull complete
a175c54c04e6: Verifying Checksum
a175c54c04e6: Download complete
534514c83d69: Pull complete
f189486073d4: Verifying Checksum
f189486073d4: Download complete
916bdfc23252: Verifying Checksum
916bdfc23252: Download complete
d562b1c3ac3f: Pull complete
31a1951e1f37: Verifying Checksum
31a1951e1f37: Download complete
4b85e68dc01d: Verifying Checksum
4b85e68dc01d: Download complete
4b85e68dc01d: Pull complete
52134d825d3e: Pull complete
f189486073d4: Pull complete
a9c03bc9ef3b: Pull complete
7b64a8f374f8: Pull complete
a175c54c04e6: Pull complete
916bdfc23252: Pull complete
31a1951e1f37: Pull complete
Digest: sha256:fba133efcd6a5afda7321d3063e68a26b76707f3a46999312c5716de4085dbde
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:10-8-stable
EXECUTE: mkdir -p /app/bin
curl https://gitlab.com/gitlab-org/security-products/binaries/raw/master/gemnasium-client/gemnasium-client-1.0.1 --output /app/bin/gemnasium
chmod a+rx /app/bin/gemnasium
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 6949k 0 28215 0 0 44086 0 0:02:41 --:--:-- 0:02:41 44085 49 6949k 49 3432k 0 0 2008k 0 0:00:03 0:00:01 0:00:02 2008k 100 6949k 100 6949k 0 0 3353k 0 0:00:02 0:00:02 --:--:-- 3353k
EXECUTE: [ ! -z "$(/app/bin/gemnasium search .)" ]
EXECUTE: /app/bin/gemnasium alerts . > /code/gl-sast-gemnasium.json
2018/06/13 16:52:52 [DEBUG] POST https://deps.sec.gitlab.com/advisories/q
EXECUTE: git clone https://github.com/heroku/heroku-buildpack-nodejs /tmp/d20180613-1-u3ze2g
/tmp/d20180613-1-u3ze2g/bin/test-compile /code
Cloning into '/tmp/d20180613-1-u3ze2g'...
-----> Creating runtime environment
NPM_CONFIG_LOGLEVEL=error
NPM_CONFIG_PRODUCTION=false
NODE_VERBOSE=false
NODE_ENV=test
NODE_MODULES_CACHE=true
-----> Installing binaries
engines.node (package.json): unspecified
engines.npm (package.json): unspecified (use default)
engines.yarn (package.json): unspecified (use default)
Resolving node version 8.x...
Downloading and installing node 8.11.3...
Using default npm version: 5.6.0
Resolving yarn version 1.x...
Downloading and installing yarn (1.8.0)...
Installed yarn 1.8.0
-----> Restoring cache
! node_modules checked into source control
https://blog.heroku.com/node-habits-2016#9-only-git-the-important-bits
Skipping cache restore (not-found)
-----> Building dependencies
Installing node modules (yarn.lock)
yarn install v1.8.0
[1/4] Resolving packages...
[2/4] Fetching packages...
error An unexpected error occurred: "https://artifactory.*********.io/artifactory/api/npm/npm-release-local/@*********-*********/*********/-/@*********/*********-1.1.0.tgz: Request failed "401 Unauthorized"".
info If you think this is a bug, please open a bug report with the information provided in "/code/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
-----> Build failed
We're sorry this build is failing! You can troubleshoot common issues here:
https://devcenter.heroku.com/articles/troubleshooting-node-deploys
Some possible problems:
- node_modules checked into source control
https://blog.heroku.com/node-habits-2016#9-only-git-the-important-bits
- Node version not specified in package.json
https://devcenter.heroku.com/articles/nodejs-support#specifying-a-node-js-version
Love,
Heroku
EXECUTE: export NODE_HOME="/code/.heroku/node"
export PATH="/code/.heroku/node/bin:/code/.heroku/yarn/bin:$PATH:/code/bin:/code/node_modules/.bin"
npm install -g retire@1.6.0
retire --outputformat json --outputpath /code/gl-sast-retire.json
/code/.heroku/node/bin/retire -> /code/.heroku/node/lib/node_modules/retire/bin/retire
+ retire@1.6.0
added 81 packages in 2.831s
Missing version for @*********/*********. Need to run npm install ?
Missing version for @*********/*********. Need to run npm install ?
Missing version for @*********/*********. Need to run npm install ?
Missing version for lodash.map. Need to run npm install ?
Missing version for prompt. Need to run npm install ?
Missing version for replace-in-file. Need to run npm install ?
Missing version for request. Need to run npm install ?
Missing version for request-promise. Need to run npm install ?
Missing version for request-promise-middleware-framework. Need to run npm install ?
Missing version for shelljs. Need to run npm install ?
Missing version for unzip. Need to run npm install ?
SUCCESS: Report saved in /code/gl-dependency-scanning-report.json
Security vulnerability found :
+-----------+-----------+---------------+----------------------------------------+
| Priority | Tool | Identifier | URL |
+-----------+-----------+---------------+----------------------------------------+
| Unknown | gemnasium | CVE-2018-3728 | https://nodesecurity.io/advisories/566 |
| Prototype pollution attack for hoek |
| In yarn.lock |
+-----------+-----------+---------------+----------------------------------------+
1 security vulnerability.
Creating cache default...
WARNING: node_modules/: no matching files
Archive is up to date!
Created cache
Uploading artifacts...
gl-dependency-scanning-report.json: found 1 matching files
Uploading artifacts to coordinator... ok id=207467 responseStatus=201 Created token=xmCiEe74
Job succeeded
Results of GitLab environment info
gitlab-ee 10.8.4
/cc @plafoucriere @bikebilly @namhokim