Problem whilst evaluating Gitlab EE features dependency scanning, sast and license management

Introduction

Currently evaluating GItlab EE and attempting to utilise a number of the EE features including dependency scanning, sast and license management. However, I don't seem to be able to get them working. I apologise up front for any stupidity on my part.

Any help/pointers would be very much appreciated.

Installation

The installation utilised a fresh VM with CentOS 7, fully updated and a copy of Gitlab EE 11.2.3-ee (incl. gitlab-runner) installed on that. I imported a Gitlab project (Java/maven) from another repo (CE) for testing purposes. I used the following links:

To create the necessary configuration for each task. Each of the above state support for Java/Maven.

Configuration

Runner

Using details from the links above, I created a runner (/etc/gitlab-runner/config.toml):

concurrent = 1
check_interval = 0

[[runners]]
  name = "Docker"
  url = "http://xxxxxx.yyyyy.com/"
  token = "zzzzzzzzzzzzzzzzzzzzzzzzzzz"
  executor = "docker"
  [runners.docker]
    tls_verify = false
    image = "docker:stable"
    privileged = true
    disable_cache = false
    cache_dir = "cache"
    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
    shm_size = 0
  [runners.cache]
    Insecure = false

(Note: This differs to that on docker-in-docker executor as I had an issue which was resolved by using this )

CI

In the project itself, I created .gitlab-ci.yml:

stages:
  - build
  - test

variables:
  MAVEN_CLI_OPTS: "-s .m2/settings.xml --batch-mode"
  MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"

cache:
  paths:
    - .m2/repository/
    - target/

build:
  stage: build
  image: maven:latest
  script:
    - mvn $MAVEN_CLI_OPTS compile

dependency_scanning:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
  artifacts:
    paths: [gl-dependency-scanning-report.json]

sast:
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  artifacts:
    paths: [gl-sast-report.json]

license_management:
  stage: test
  image: docker:stable
  stage: test
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export LICENSE_MANAGEMENT_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --volume "$PWD:/code"
        "registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION" analyze /code
  artifacts:
    paths: [gl-license-management-report.json]

Results

However, only the Java build completed successfully:

image

build

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.858 s
[INFO] Finished at: 2018-09-11T11:04:30Z
[INFO] ------------------------------------------------------------------------
Creating cache default...
.m2/repository/: found 1234 matching files         
target/: found 246 matching files                  
Created cache
Job succeeded

license_management


Pulling docker image docker:stable ...
Using docker image sha256:9797f6e6a0689dffe3cc376ce6de0e938aa1099839524302014ab1881cab8dd3 for docker:stable ...
Running on runner-4b47fade-project-3-concurrent-0 via xxxxxx...
Fetching changes...
Removing .m2/repository/
Removing target/
HEAD is now at dfb54a2 Update .gitlab-ci.yml
Checking out dfb54a25 as 70-use-gitlab-ee-features...
Skipping Git submodules setup
Checking cache for default...
Successfully extracted cache
$ export LICENSE_MANAGEMENT_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
$ docker run --volume "$PWD:/code" "registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION" analyze /code
stdin: is not a tty
/code /
Running license_finder  in /code
/usr/local/rvm/gems/ruby-2.5.1/gems/license_finder-5.1.0/lib/license_finder/cli/main.rb:171:in `initialize': Permission denied @ rb_sysopen - gl-license-management-report.html (Errno::EACCES)
	from /usr/local/rvm/gems/ruby-2.5.1/gems/license_finder-5.1.0/lib/license_finder/cli/main.rb:171:in `open'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/license_finder-5.1.0/lib/license_finder/cli/main.rb:171:in `save_report'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/license_finder-5.1.0/lib/license_finder/cli/main.rb:128:in `report'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
	from /usr/local/rvm/gems/ruby-2.5.1/gems/license_finder-5.1.0/bin/license_finder:5:in `<top (required)>'
	from /usr/local/rvm/gems/ruby-2.5.1/bin/license_finder:23:in `load'
	from /usr/local/rvm/gems/ruby-2.5.1/bin/license_finder:23:in `<main>'
License Finder: No active and installed package managers found for project.
ERROR: Job failed: exit code 1

dependency_scanning

Pulling docker image docker:stable ...
Using docker image sha256:9797f6e6a0689dffe3cc376ce6de0e938aa1099839524302014ab1881cab8dd3 for docker:stable ...
Running on runner-4b47fade-project-3-concurrent-0 via xxxxxx...
Fetching changes...
Removing .m2/repository/
Removing target/
HEAD is now at dfb54a2 Update .gitlab-ci.yml
Checking out dfb54a25 as 70-use-gitlab-ee-features...
Skipping Git submodules setup
Checking cache for default...
Successfully extracted cache
$ export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
$ docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
Source code language/dependency manager is not yet supported for analyze
ERROR: Job failed: exit code 1

sast

Pulling docker image docker:stable ...
Using docker image sha256:9797f6e6a0689dffe3cc376ce6de0e938aa1099839524302014ab1881cab8dd3 for docker:stable ...
Running on runner-4b47fade-project-3-concurrent-0 via xxxxxx...
Fetching changes...
Removing .m2/repository/
Removing target/
HEAD is now at dfb54a2 Update .gitlab-ci.yml
Checking out dfb54a25 as 70-use-gitlab-ee-features...
Skipping Git submodules setup
Checking cache for default...
Successfully extracted cache
$ export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
$ docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
2018/09/11 10:50:24 Copy project directory to containers
Project directory is empty
ERROR: Job failed: exit code 4
Edited by Mr T