Skip to content
Snippets Groups Projects

semgrep-sast

Passed Started by
Michał Wielich
@michold
Log timestamps in UTC.
117:14:53Running with gitlab-runner 17.7.0~pre.103.g896916a8 (896916a8)
217:14:53 on green-4.private.runners-manager.gitlab.com/gitlab.com/gitlab-org rpvz2FF9, system ID: s_d704414ba02a
317:14:53 feature flags: FF_NETWORK_PER_BUILD:true, FF_USE_FASTZIP:true, FF_TIMESTAMPS:true
417:14:53Resolving secrets
5 17:14:53 Preparing the "docker+machine" executor 00:08
617:14:53Using Docker executor with image registry.gitlab.com/security-products/semgrep:5 ...
717:14:56Authenticating with credentials from job payload (GitLab Registry)
817:14:56Pulling docker image registry.gitlab.com/security-products/semgrep:5 ...
917:15:01Using docker image sha256:42aa25a599dba49f867222b9fe6af6781642ec1ab4503e3f74b104263d0f8c3c for registry.gitlab.com/security-products/semgrep:5 with digest registry.gitlab.com/security-products/semgrep@sha256:ce69540e46e1545e13622b30663ccf91227b72d3ec971ebda8ac1943d70b8f68 ...
10 17:15:01 Preparing environment 00:03
1117:15:04Running on runner-rpvz2ff9-project-278964-concurrent-0 via runner-rpvz2ff9-private-1740412875-821f33c2...
12 17:15:04 Getting source from Git repository 00:44
1317:15:05Fetching changes with git depth set to 20...
1417:15:05Initialized empty Git repository in /builds/gitlab-org/gitlab/.git/
1517:15:05Created fresh repository.
1617:15:06remote: Enumerating objects: 259387, done.
1717:15:06remote: Counting objects: 100% (259387/259387), done.
1817:15:06remote: Compressing objects: 100% (151443/151443), done.
1917:15:06remote: Total 259387 (delta 144948), reused 187574 (delta 98199), pack-reused 0 (from 0)
2017:15:12Receiving objects: 100% (259387/259387), 198.23 MiB | 30.45 MiB/s, done.
2117:15:12Resolving deltas: 100% (144948/144948), done.
2217:15:29From https://us-east1-d.ci-gateway.int.gprd.gitlab.net:8989/gitlab-org/gitlab
2317:15:29 * [new ref] refs/pipelines/1686224521 -> refs/pipelines/1686224521
2417:15:29Checking out 9c5e00a2 as detached HEAD (ref is refs/merge-requests/182450/merge)...
2517:15:45Skipping Git submodules setup
2617:15:45$ git remote set-url origin "${CI_REPOSITORY_URL}"
27 17:15:48 Executing "step_script" stage of the job script 00:53
2817:15:48Using docker image sha256:42aa25a599dba49f867222b9fe6af6781642ec1ab4503e3f74b104263d0f8c3c for registry.gitlab.com/security-products/semgrep:5 with digest registry.gitlab.com/security-products/semgrep@sha256:ce69540e46e1545e13622b30663ccf91227b72d3ec971ebda8ac1943d70b8f68 ...
2917:15:48$ /analyzer run
3017:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ GitLab Semgrep analyzer v5.27.0
3117:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ Detecting project
3217:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ Analyzer will attempt to analyze all projects in the repository
3317:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ Loading ruleset for /builds/gitlab-org/gitlab
3417:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ Loading project-level ruleset configuration file from '/builds/gitlab-org/gitlab/.gitlab/sast-ruleset.toml'
3517:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ Running analyzer
3617:15:48[INFO] [Semgrep] [2025-02-24T17:15:48Z] ▶ Running passthroughs with timeout 60
3717:15:49[INFO] [Semgrep] [2025-02-24T17:15:49Z] ▶ 1 active rule files detected with 2 active rules
3817:15:49[INFO] [Semgrep] [2025-02-24T17:15:49Z] ▶ * rule file '/sgrules/rules.yml': 'ccdeee03c5e55b51e0ce0f5dd7600cbdeb2b4147369fa735bd85d5d5d4ae15eb'
3917:15:49[INFO] [Semgrep] [2025-02-24T17:15:49Z] ▶ Combined rule checksum: '1fdef58cb887cbb18dde5a086c038e29b887c1e2b70432708a84b9045b3caa1d'
4017:15:49[INFO] [Semgrep] [2025-02-24T17:15:49Z] ▶ No manifest file specified
4117:15:50[INFO] [Semgrep] [2025-02-24T17:15:50Z] ▶ METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.
4217:15:50[INFO] [Semgrep] [2025-02-24T17:15:50Z] ▶ To disable Registry rule metrics, use "--metrics=off".
4317:15:50[INFO] [Semgrep] [2025-02-24T17:15:50Z] ▶ Using configs only from local files (like --config=xyz.yml) does not enable metrics.
4417:15:50[INFO] [Semgrep] [2025-02-24T17:15:50Z] ▶
4517:15:50[INFO] [Semgrep] [2025-02-24T17:15:50Z] ▶ More information: https://semgrep.dev/docs/metrics
4617:15:50[INFO] [Semgrep] [2025-02-24T17:15:50Z] ▶
4717:16:07[INFO] [Semgrep] [2025-02-24T17:16:07Z] ▶
4817:16:07[INFO] [Semgrep] [2025-02-24T17:16:07Z] ▶
4917:16:07[INFO] [Semgrep] [2025-02-24T17:16:07Z] ▶ ┌─────────────┐
5017:16:07[INFO] [Semgrep] [2025-02-24T17:16:07Z] ▶ │ Scan Status │
5117:16:07[INFO] [Semgrep] [2025-02-24T17:16:07Z] ▶ └─────────────┘
5217:16:07[INFO] [Semgrep] [2025-02-24T17:16:07Z] ▶ Scanning 83168 files with 2 Code rules:
5317:16:08[INFO] [Semgrep] [2025-02-24T17:16:08Z] ▶
5417:16:08[INFO] [Semgrep] [2025-02-24T17:16:08Z] ▶ Language Rules Files Origin Rules
5517:16:08[INFO] [Semgrep] [2025-02-24T17:16:08Z] ▶ ────────────────────────── ────────────────
5617:16:08[INFO] [Semgrep] [2025-02-24T17:16:08Z] ▶ ruby 1 21010 Custom 2
5717:16:08[INFO] [Semgrep] [2025-02-24T17:16:08Z] ▶ js 1 3774
5817:16:08[INFO] [Semgrep] [2025-02-24T17:16:08Z] ▶
5917:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶
6017:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶
6117:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ ┌──────────────┐
6217:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ │ Scan Summary │
6317:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ └──────────────┘
6417:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ Some files were skipped or only partially analyzed.
6517:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ Partially scanned: 2 files only partially analyzed due to parsing or internal Semgrep errors
6617:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ Scan skipped: 26699 files matching --exclude patterns, 258 files matching .semgrepignore patterns
6717:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ For a full list of skipped files, run semgrep with the --verbose flag.
6817:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶
6917:16:37[INFO] [Semgrep] [2025-02-24T17:16:37Z] ▶ Ran 2 rules on 24784 files: 59 findings.
7017:16:40[INFO] [Semgrep] [2025-02-24T17:16:40Z] ▶ Creating report
7117:16:40[INFO] [Semgrep] [2025-02-24T17:16:40Z] ▶ Running passthroughs with timeout 60
7217:16:40[WARN] [Semgrep] [2025-02-24T17:16:40Z] ▶ tool notification warning: Timeout Timeout when running glappsec_dangerous_string_interpolation on public/-/speedscope/import.e3a73ef4.js:
7317:16:40
7417:16:40[WARN] [Semgrep] [2025-02-24T17:16:40Z] ▶ tool notification warning: Timeout Timeout when running glappsec_dangerous_string_interpolation on public/-/speedscope/speedscope.026f36b0.js:
7517:16:40
7617:16:40[INFO] [2025-02-24T17:16:40Z] ▶ /builds/gitlab-org/gitlab/gl-report-post.json written
77 17:16:41 Uploading artifacts for successful job 00:04
7817:16:41Uploading artifacts...
7917:16:41gl-sast-report.json: found 1 matching artifact files and directories
8017:16:41WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/9229131521/artifacts?artifact_format=zip&artifact_type=archive&expire_in=1+week new-url=https://gitlab.com
8117:16:41WARNING: Retrying... context=artifacts-uploader error=request redirected
8217:16:43Uploading artifacts as "archive" to coordinator... 201 Created id=9229131521 responseStatus=201 Created token=glcbt-66
8317:16:43Uploading artifacts...
8417:16:43gl-sast-report.json: found 1 matching artifact files and directories
8517:16:43WARNING: Upload request redirected location=https://gitlab.com/api/v4/jobs/9229131521/artifacts?artifact_format=raw&artifact_type=sast&expire_in=1+week new-url=https://gitlab.com
8617:16:43WARNING: Retrying... context=artifacts-uploader error=request redirected
8717:16:45Uploading artifacts as "sast" to coordinator... 201 Created id=9229131521 responseStatus=201 Created token=glcbt-66
88 17:16:45 Cleaning up project directory and file based variables 00:01
8917:16:49Job succeeded