Skip to content
Snippets Groups Projects

semgrep-appsec-custom-rules

Passed Started by
Simon Tomlinson
@stomlinson
Log timestamps in UTC.
121:07:44Running with gitlab-runner 17.4.0~pre.110.g27400594 (27400594)
221:07:44 on blue-1.private.runners-manager.gitlab.com/gitlab.com/gitlab-org 1zzGUpzq, system ID: s_fc31da7ae46e
321:07:44 feature flags: FF_NETWORK_PER_BUILD:true, FF_TIMESTAMPS:true
421:07:44Resolving secrets
5 21:07:44 Preparing the "docker+machine" executor 00:13
621:07:44Using Docker executor with image returntocorp/semgrep ...
721:07:47Pulling docker image returntocorp/semgrep ...
821:07:57Using docker image sha256:8afaf0ecf7b18f8e39c1260c5699268bf10b7ab8231b1a2b30a1e7969f5f87a2 for returntocorp/semgrep with digest returntocorp/semgrep@sha256:f35c7891e2030110a84a721fdd556ce8f3da6e7e69d7fab1d3660ae1bb334474 ...
9 21:07:57 Preparing environment 00:05
1021:08:02Running on runner-1zzgupzq-project-278964-concurrent-0 via runner-1zzgupzq-private-1731615743-6a68c043...
11 21:08:02 Getting source from Git repository 00:36
1221:08:03Fetching changes with git depth set to 20...
1321:08:03Initialized empty Git repository in /builds/gitlab-org/gitlab/.git/
1421:08:03Created fresh repository.
1521:08:04remote: Enumerating objects: 204285, done.
1621:08:04remote: Counting objects: 100% (204285/204285), done.
1721:08:04remote: Compressing objects: 100% (129804/129804), done.
1821:08:04remote: Total 204285 (delta 102704), reused 144049 (delta 66999), pack-reused 0 (from 0)
1921:08:09Receiving objects: 100% (204285/204285), 159.92 MiB | 30.75 MiB/s, done.
2021:08:09Resolving deltas: 100% (102704/102704), done.
2121:08:21From https://us-east1-c.ci-gateway.int.gprd.gitlab.net:8989/gitlab-org/gitlab
2221:08:21 * [new ref] refs/pipelines/1543613215 -> refs/pipelines/1543613215
2321:08:21Checking out 305c2543 as detached HEAD (ref is refs/merge-requests/172446/merge)...
2421:08:34Skipping Git submodules setup
2521:08:34$ git remote set-url origin "${CI_REPOSITORY_URL}"
26 21:08:38 Executing "step_script" stage of the job script 00:21
2721:08:38Using docker image sha256:8afaf0ecf7b18f8e39c1260c5699268bf10b7ab8231b1a2b30a1e7969f5f87a2 for returntocorp/semgrep with digest returntocorp/semgrep@sha256:f35c7891e2030110a84a721fdd556ce8f3da6e7e69d7fab1d3660ae1bb334474 ...
2821:08:39$ git fetch origin master
2921:08:39From https://gitlab.com/gitlab-org/gitlab
3021:08:39 * branch master -> FETCH_HEAD
3121:08:39 * [new branch] master -> origin/master
3221:08:39$ git clone $CUSTOM_RULES_REPOSITORY "${CI_BUILDS_DIR}/sast-custom-rules"
3321:08:39Cloning into '/builds/sast-custom-rules'...
3421:08:40$ rm "${CI_BUILDS_DIR}/sast-custom-rules/.gitlab-ci.yml" # semgrep fails when there are yaml files that are not rules # collapsed multi-line command
3521:08:41
3621:08:41
3721:08:41┌────────────────┐
3821:08:41│ Debugging Info │
3921:08:41└────────────────┘
4021:08:41
4121:08:41 SCAN ENVIRONMENT
4221:08:41 versions - semgrep 1.93.0 on python 3.11.10
4321:08:41 environment - running in environment gitlab-ci, triggering event is pull_request
4421:08:45running 34 rules from 33 configs
4521:08:45No .semgrepignore found. Using default .semgrepignore rules. See the docs for the list of default ignores: https://semgrep.dev/docs/cli-usage/#ignore-files
4621:08:45Rules:
4721:08:45- builds.sast-custom-rules.appsec-pings.glappsec_ci-job-token
4821:08:45- builds.sast-custom-rules.appsec-pings.glappsec_eslint-disable-next-line-no-unsanitized-property_disable_gitlabsecurity
4921:08:45- builds.sast-custom-rules.appsec-pings.glappsec_rubocop_disable_gitlabsecurity
5021:08:45- builds.sast-custom-rules.appsec-pings.glappsec_shell_heredoc
5121:08:45- builds.sast-custom-rules.appsec-pings.glappsec_ts-markdown-trusted
5221:08:45- builds.sast-custom-rules.gitlab-sast-rules.glappsec_dangerous_string_interpolation
5321:08:45- builds.sast-custom-rules.gitlab-sast-rules.glappsec_dangerous_untar
5421:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2022-0244.CVE-2022-0244
5521:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2022-1162.CVE-2022-1162
5621:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2022-1680.CVE-2022-1780
5721:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2022-2185.CVE-2022-2185
5821:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2022-3067.CVE-2022-3067
5921:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2023-2478.CVE-2023-2478
6021:08:45- builds.sast-custom-rules.past-s1-rules.CVE-2023-2825.CVE-2023-2825
6121:08:45- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_dangerous-exec-command
6221:08:45- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_gosec.G402-1
6321:08:45- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_insecure-archive-go
6421:08:45- builds.sast-custom-rules.secure-coding-guidelines.go.glappsec_path-traversal-go
6521:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_bad-deserialization
6621:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_bad-deserialization-yaml
6721:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_dangerous-exec
6821:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_dangerous_html_safe
6921:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_dangerous_redirect
7021:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-archive-operation
7121:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-ciphers
7221:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-regex
7321:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-url-construction
7421:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-url-parsing-1
7521:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_insecure-url-parsing-2
7621:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_path-traversal
7721:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_redos_1
7821:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_redos_2
7921:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_unsafe-http-library-usage
8021:08:45- builds.sast-custom-rules.secure-coding-guidelines.ruby.glappsec_url-spoofing
8121:08:45
8221:08:45
8321:08:45┌─────────────┐
8421:08:45│ Scan Status │
8521:08:45└─────────────┘
8621:08:45 Scanning 4 files tracked by git with 34 Code rules:
8721:08:45
8821:08:45 Language Rules Files Origin Rules
8921:08:45 ───────────────────────────── ────────────────
9021:08:45 ruby 26 2 Custom 34
9121:08:45 <multilang> 2 2
9221:08:45
9321:08:45 Current version has 1 finding.
9421:08:45Creating git worktree from '2fcfef56592008034f8df2638ca6aaef49732a1d' to scan baseline.
9521:08:45 Will report findings introduced by these commits (may be incomplete for shallow checkouts):
9621:08:45 * 305c2543d Merge branch 'cursor-bbm-testing' into 'master'
9721:08:45 * c21895ec6 Fix rubocop
9821:08:45 * 344621693 Fix traditional bbm testing specs
9921:08:45 * e3a102286 Add cursor batched background migration testing
10021:08:54No .semgrepignore found. Using default .semgrepignore rules. See the docs for the list of default ignores: https://semgrep.dev/docs/cli-usage/#ignore-files
10121:08:54
10221:08:54
10321:08:54┌─────────────┐
10421:08:54│ Scan Status │
10521:08:54└─────────────┘
10621:08:54 Scanning 1 file tracked by git with 1 Code rule:
10721:08:54 Scanning 1 file.
10821:08:54Removing matches that exist in baseline scan
10921:08:54Removed 1 finding that were in baseline scan
11021:08:58========================================
11121:08:58Files skipped:
11221:08:58========================================
11321:08:58 Always skipped by Semgrep:
11421:08:58 • <none>
11521:08:58 Skipped by .gitignore:
11621:08:58 (Disable by passing --no-git-ignore)
11721:08:58 • <all files not listed by `git ls-files` were skipped>
11821:08:58 Skipped by .semgrepignore:
11921:08:58 - https://semgrep.dev/docs/ignoring-files-folders-code/#understand-semgrep-defaults
12021:08:58 • <none>
12121:08:58 Skipped by --include patterns:
12221:08:58 • spec/support/helpers/database/migration_testing_helpers.rb
12321:08:58 Skipped by --exclude patterns:
12421:08:58 • spec/lib/gitlab/database/migrations/test_batched_background_runner_spec.rb
12521:08:58 Skipped by limiting to files smaller than 1000000 bytes:
12621:08:58 (Adjust with the --max-target-bytes flag)
12721:08:58 • <none>
12821:08:58 Partially analyzed due to parsing or internal Semgrep errors
12921:08:58 • <none>
13021:08:58
13121:08:58
13221:08:58┌──────────────┐
13321:08:58│ Scan Summary │
13421:08:58└──────────────┘
13521:08:58Some files were skipped or only partially analyzed.
13621:08:58 Scan was limited to files changed since baseline commit.
13721:08:58 Scan skipped: 1 files not matching --include patterns, 1 files matching --exclude patterns
13821:08:58 For a full list of skipped files, run semgrep with the --verbose flag.
13921:08:58CI scan completed successfully.
14021:08:58 Found 0 findings (0 blocking) from 34 rules.
14121:08:58 No blocking findings so exiting with code 0
14221:08:58Not sending pseudonymous metrics since metrics are configured to OFF and registry usage is False
143 21:08:59 Uploading artifacts for successful job 00:02
14421:08:59Uploading artifacts...
14521:08:59gl-sast-report.json: found 1 matching artifact files and directories
14621:08:59WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/8368443758/artifacts?artifact_format=zip&artifact_type=archive&expire_in=30+days new-url=https://gitlab.com
14721:08:59WARNING: Retrying... context=artifacts-uploader error=request redirected
14821:09:01Uploading artifacts as "archive" to coordinator... 201 Created id=8368443758 responseStatus=201 Created token=glcbt-66
149 21:09:01 Cleaning up project directory and file based variables 00:01
15021:09:06Job succeeded