Difficulties using SecurityCodeScan SAST analyzer in multi-project .NET Core solution
Summary
When running the SecurityCodeScan SAST analyzer in my project, I consistently get "exit status 1" results from the analyzer, without any further details.
Steps to reproduce
docker run --interactive --tty --rm --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock registry.gitlab.com/gitlab-org/security-products/sast:${VERSION:-latest} /app/bin/run /code
This, from the repository, run in the project folder, causes the issue. I did not try it from GitLab itself, as I wanted to test out the SAST analyzers myself manually first.
Example Project
A sample project with this behaviour: https://gitlab.com/josemaia/gitlabtest/tree/master
What is the current bug behavior?
Exit status 1 from this analyzer, crashing the whole test.
What is the expected correct behavior?
Successful detection of the vulnerable patterns (i.e. hardcoded password in the example)
Relevant logs and/or screenshots
2: Pulling from gitlab-org/security-products/analyzers/security-code-scan
Digest: sha256:ccbd54a6cf0de9370c08d8e336ef14c5e71c7bc8cf2b3c27a1b0b662f733f0a5
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/analyzers/security-code-scan:2
Found project in /tmp/app/Dependencies
2019/05/23 12:48:13 exit status 1
2019/05/23 12:48:13 Container exited with non zero status codeOutput of checks
Not applicable, as I'm running outside of GitLab itself.
Possible fixes
See this comment. Either we need to wait for that MR referenced in that comment to be merged, or to extract the changes relevant to this problem into a new MR, specifically the changes around finding all the projects in the solution and injecting the scanner for each of those projects.