Add option to run the retire.js analyzer in verbose mode
Problem to solve
Sometimes the upstream retire.js scanner will fail with an error exit code (e.g. 1) without giving details as to why. It would be helpful if the scanner wrote a verbose log of what happened before the failure to help debug the issue.
Proposal
At first, the idea of just passing the --verbose command line argument to the upstream scanner seemed to make sense. However, this does not seem to work as after some testing it was noted that when run with outputformat and outputpath variables (these are needed by the analyzer to generate a report), the retire.js scanner does not output logging information.
An update to the upstream retire.js scanner is needed, after which verbose mode can be added to the analyzer.
Implementation plan
-
update the upstream retire.js scanner to split logging from the report output and created a PR in the project -
add RETIREJS_VERBOSEflag to the retire.js analyzer -
pass flag to the scanner via a command line argument
Documentation
-
Add RETIREJS_VERBOSEas available variable in https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables
Testing
-
run analyzer against test projects (js-npm, js-yarn) with RETIREJS_VERBOSEflag set, this should succeed AND generate verbose output from the scanner in the analyzer's job output.
What does success look like, and how can we measure that?
Users are able to see verbose logging in the retire.js analyzer's job output by setting the RETIREJS_VERBOSE environment variable to true.
What is the type of buyer?
Links / references
ZD https://gitlab.zendesk.com/agent/tickets/122044 (internal)