Skip to content
Snippets Groups Projects

semgrep-appsec-custom-rules

Passed Started by
Simon Tomlinson
@stomlinson
Log timestamps in UTC.
122:14:35Running with gitlab-runner 17.4.0~pre.110.g27400594 (27400594)
222:14:35 on blue-2.shared-gitlab-org.runners-manager.gitlab.com/default NL4gfoBe, system ID: s_74c3e1316164
322:14:35 feature flags: FF_NETWORK_PER_BUILD:true, FF_TIMESTAMPS:true
422:14:35Resolving secrets
5 22:14:35 Preparing the "docker+machine" executor 00:14
622:14:35Using Docker executor with image returntocorp/semgrep ...
722:14:38Pulling docker image returntocorp/semgrep ...
822:14:49Using docker image sha256:8afaf0ecf7b18f8e39c1260c5699268bf10b7ab8231b1a2b30a1e7969f5f87a2 for returntocorp/semgrep with digest returntocorp/semgrep@sha256:f35c7891e2030110a84a721fdd556ce8f3da6e7e69d7fab1d3660ae1bb334474 ...
9 22:14:49 Preparing environment 00:05
1022:14:54Running on runner-nl4gfobe-project-278964-concurrent-0 via runner-nl4gfobe-shared-gitlab-org-1731441127-d34928f3...
11 22:14:54 Getting source from Git repository 00:38
1222:14:55Fetching changes with git depth set to 20...
1322:14:55Initialized empty Git repository in /builds/gitlab-org/gitlab/.git/
1422:14:55Created fresh repository.
1522:14:56remote: Enumerating objects: 183578, done.
1622:14:56remote: Counting objects: 100% (183578/183578), done.
1722:14:56remote: Compressing objects: 100% (117557/117557), done.
1822:14:56remote: Total 183578 (delta 85967), reused 132426 (delta 59154), pack-reused 0 (from 0)
1922:15:02Receiving objects: 100% (183578/183578), 151.84 MiB | 27.77 MiB/s, done.
2022:15:02Resolving deltas: 100% (85967/85967), done.
2122:15:13From https://us-east1-d.ci-gateway.int.gprd.gitlab.net:8989/gitlab-org/gitlab
2222:15:13 * [new ref] refs/pipelines/1539289738 -> refs/pipelines/1539289738
2322:15:13Checking out a265d58c as detached HEAD (ref is refs/merge-requests/172446/merge)...
2422:15:30Skipping Git submodules setup
2522:15:30$ git remote set-url origin "${CI_REPOSITORY_URL}"
26 22:15:32 Executing "step_script" stage of the job script 00:26
2722:15:32Using docker image sha256:8afaf0ecf7b18f8e39c1260c5699268bf10b7ab8231b1a2b30a1e7969f5f87a2 for returntocorp/semgrep with digest returntocorp/semgrep@sha256:f35c7891e2030110a84a721fdd556ce8f3da6e7e69d7fab1d3660ae1bb334474 ...
2822:15:33$ git fetch origin master
2922:15:33From https://gitlab.com/gitlab-org/gitlab
3022:15:33 * branch master -> FETCH_HEAD
3122:15:33 * [new branch] master -> origin/master
3222:15:33$ git clone $CUSTOM_RULES_REPOSITORY "${CI_BUILDS_DIR}/sast-custom-rules"
3322:15:33Cloning into '/builds/sast-custom-rules'...
3422:15:34$ rm "${CI_BUILDS_DIR}/sast-custom-rules/.gitlab-ci.yml" # semgrep fails when there are yaml files that are not rules # collapsed multi-line command
3522:15:35
3622:15:35
3722:15:35┌────────────────┐
3822:15:35│ Debugging Info │
3922:15:35└────────────────┘
4022:15:35
4122:15:35 SCAN ENVIRONMENT
4222:15:35 versions - semgrep 1.93.0 on python 3.11.10
4322:15:35 environment - running in environment gitlab-ci, triggering event is pull_request
4422:15:40running 34 rules from 33 configs
4522:15:40No .semgrepignore found. Using default .semgrepignore rules. See the docs for the list of default ignores: https://semgrep.dev/docs/cli-usage/#ignore-files
4622:15:40Rules:
4722:15:40- builds.sast-custom-rules.appsec-pings.glappsec_ci-job-token
4822:15:40- builds.sast-custom-rules.appsec-pings.glappsec_eslint-disable-next-line-no-unsanitized-property_disable_gitlabsecurity
4922:15:40- builds.sast-custom-rules.appsec-pings.glappsec_rubocop_disable_gitlabsecurity
5022:15:40- builds.sast-custom-rules.appsec-pings.glappsec_shell_heredoc
5122:15:40- builds.sast-custom-rules.appsec-pings.glappsec_ts-markdown-trusted
5222:15:40- builds.sast-custom-rules.gitlab-sast-rules.glappsec_dangerous_string_interpolation
5322:15:40- builds.sast-custom-rules.gitlab-sast-rules.glappsec_dangerous_untar
5422:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2022-0244.CVE-2022-0244
5522:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2022-1162.CVE-2022-1162
5622:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2022-1680.CVE-2022-1780
5722:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2022-2185.CVE-2022-2185
5822:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2022-3067.CVE-2022-3067
5922:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2023-2478.CVE-2023-2478
6022:15:40- builds.sast-custom-rules.past-s1-rules.CVE-2023-2825.CVE-2023-2825
6122:15:40- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_dangerous-exec-command
6222:15:40- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_gosec.G402-1
6322:15:40- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_insecure-archive-go
6422:15:40- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_path-traversal-go
6522:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_bad-deserialization
6622:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_bad-deserialization-yaml
6722:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_dangerous-exec
6822:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_dangerous_html_safe
6922:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_dangerous_redirect
7022:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-archive-operation
7122:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-ciphers
7222:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-regex
7322:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-url-construction
7422:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-url-parsing-1
7522:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-url-parsing-2
7622:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_path-traversal
7722:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_redos_1
7822:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_redos_2
7922:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_unsafe-http-library-usage
8022:15:40- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_url-spoofing
8122:15:40
8222:15:40
8322:15:40┌─────────────┐
8422:15:40│ Scan Status │
8522:15:40└─────────────┘
8622:15:40 Scanning 5 files tracked by git with 34 Code rules:
8722:15:40
8822:15:40 Language Rules Files Origin Rules
8922:15:40 ───────────────────────────── ────────────────
9022:15:40 ruby 26 3 Custom 34
9122:15:40 <multilang> 2 3
9222:15:40
9322:15:40 Current version has 1 finding.
9422:15:40Creating git worktree from 'b9a2017b64d56cb56be6eeac19c2c146a845154c' to scan baseline.
9522:15:40 Will report findings introduced by these commits (may be incomplete for shallow checkouts):
9622:15:40 * a265d58c5 Merge branch 'cursor-bbm-testing' into 'master'
9722:15:40 * 07ff9c100 Add cursor batched background migration testing
9822:15:40 * d4a82d669 Merge branch '465807-call-alter-sequences-range-rake' into 'master'
9922:15:40 * 8082c3ecd Calls alter_cell_sequences_range rake from db:configure
10022:15:51No .semgrepignore found. Using default .semgrepignore rules. See the docs for the list of default ignores: https://semgrep.dev/docs/cli-usage/#ignore-files
10122:15:51
10222:15:51
10322:15:51┌─────────────┐
10422:15:51│ Scan Status │
10522:15:51└─────────────┘
10622:15:51 Scanning 1 file tracked by git with 1 Code rule:
10722:15:51 Scanning 1 file.
10822:15:51Removing matches that exist in baseline scan
10922:15:51Removed 1 finding that were in baseline scan
11022:15:57========================================
11122:15:57Files skipped:
11222:15:57========================================
11322:15:57 Always skipped by Semgrep:
11422:15:57 • <none>
11522:15:57 Skipped by .gitignore:
11622:15:57 (Disable by passing --no-git-ignore)
11722:15:57 • <all files not listed by `git ls-files` were skipped>
11822:15:57 Skipped by .semgrepignore:
11922:15:57 - https://semgrep.dev/docs/ignoring-files-folders-code/#understand-semgrep-defaults
12022:15:57 • <none>
12122:15:57 Skipped by --include patterns:
12222:15:57 • spec/support/helpers/database/migration_testing_helpers.rb
12322:15:57 Skipped by --exclude patterns:
12422:15:57 • spec/lib/gitlab/database/migrations/test_batched_background_runner_spec.rb
12522:15:57 Skipped by limiting to files smaller than 1000000 bytes:
12622:15:57 (Adjust with the --max-target-bytes flag)
12722:15:57 • <none>
12822:15:57 Partially analyzed due to parsing or internal Semgrep errors
12922:15:57 • <none>
13022:15:57
13122:15:57
13222:15:57┌──────────────┐
13322:15:57│ Scan Summary │
13422:15:57└──────────────┘
13522:15:57Some files were skipped or only partially analyzed.
13622:15:57 Scan was limited to files changed since baseline commit.
13722:15:57 Scan skipped: 1 files not matching --include patterns, 1 files matching --exclude patterns
13822:15:57 For a full list of skipped files, run semgrep with the --verbose flag.
13922:15:57CI scan completed successfully.
14022:15:57 Found 0 findings (0 blocking) from 34 rules.
14122:15:57RPC response indicated an error: Error handling RPC request:
14222:15:57Yojson__Common.Json_error("Line 1, bytes 160-194:\nExpected ',' or '}' but found 'Balu\" C\", \"commit_author_email\": '")
14322:15:57Raised at Yojson__Common.json_error in file "lib/common.ml", line 5, characters 19-39
14422:15:57Called from Yojson__Safe.read_object_sep in file "lib/read.ml" (inlined), line 2343, characters 3-47
14522:15:57Called from Semgrep_output_v1_j.read_contributor in file "OSS/src/rule/semgrep_output_v1_j.ml", line 23786, characters 8-40
14622:15:57Called from Semgrep_output_v1_j.read_contribution in file "OSS/src/rule/semgrep_output_v1_j.ml", line 24044, characters 21-122
14722:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 107, characters 16-19
14822:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
14922:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15022:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15122:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15222:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15322:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15422:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15522:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15622:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15722:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15822:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
15922:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16022:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16122:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16222:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16322:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16422:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16522:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16622:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16722:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16822:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
16922:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17022:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17122:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17222:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17322:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17422:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17522:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17622:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17722:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17822:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
17922:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
18022:15:57Called from List_.fast_map in file "OSS/libs/commons/List_.ml", line 110, characters 33-71
18122:15:57Called from RPC.handle_call in file "OSS/src/rpc/RPC.ml", line 59, characters 21-68
18222:15:57Called from RPC.handle_single_request in file "OSS/src/rpc/RPC.ml", line 131, characters 8-29
18322:15:57Failed to collect contributions. Continuing with scan...
18422:15:57 No blocking findings so exiting with code 0
18522:15:57Not sending pseudonymous metrics since metrics are configured to OFF and registry usage is False
186 22:15:58 Uploading artifacts for successful job 00:02
18722:15:58Uploading artifacts...
18822:15:58gl-sast-report.json: found 1 matching artifact files and directories
18922:15:58WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/8340695738/artifacts?artifact_format=zip&artifact_type=archive&expire_in=30+days new-url=https://gitlab.com
19022:15:58WARNING: Retrying... context=artifacts-uploader error=request redirected
19122:16:00Uploading artifacts as "archive" to coordinator... 201 Created id=8340695738 responseStatus=201 Created token=glcbt-66
192 22:16:00 Cleaning up project directory and file based variables 00:01
19322:16:05Job succeeded