Allow list build dir and gemnasium-dir in Git config

What does this MR do?

This MR makes it so that we mark the gemnasium-db directory as safe for Git to run on. Without this, non-root users (common with OpenShift) would try to update the repo, and fail because of the owner mismatch detected by Git (the owner would be root:root or 0:0 while the current user would be $RANDOM:0).

What are the relevant issue numbers?

Fixes issue found in Dependency scanning produces invalid permission... (gitlab-org/gitlab#551333 - closed)

Test(s)

I tested this on my own OpenShift runner where a non-root user is used (it still has root group membership).

Click to expand

[0KRunning with gitlab-runner 18.2.0 (c24769e8)[0;m
[0K  on gitlab-runner-runner-6675f5f4cd-nckfn T4wxQ5rOM, system ID: r_RX9y5rHikTEx[0;m
[0K[36;1mResolving secrets[0;m[0;m
section_start:1757956505:prepare_executor
[0K[0K[36;1mPreparing the "kubernetes" executor[0;m[0;m
[0KUsing Kubernetes namespace: default[0;m
[0KUsing Kubernetes executor with image registry.gitlab.com/hacks4oats/issue-551333/gemnasium:latest ...[0;m
[0KUsing attach strategy to execute scripts...[0;m
[0KUsing effective pull policy of [] for container build[0;m
[0KUsing effective pull policy of [] for container helper[0;m
[0KUsing effective pull policy of [] for container init-permissions[0;m
section_end:1757956505:prepare_executor
[0Ksection_start:1757956505:prepare_script
[0K[0K[36;1mPreparing environment[0;m[0;m
[0KUsing FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 1h0m0s...[0;m
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod default/runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-t4wxq5rom-project-74371663-concurrent-0-3ge6wxp0 via gitlab-runner-runner-6675f5f4cd-nckfn...

section_end:1757956533:prepare_script
[0Ksection_start:1757956533:get_sources
[0K[0K[36;1mGetting source from Git repository[0;m[0;m
[32;1mGitaly correlation ID: 8a960731b07372f1b6a0db49c7fc861d[0;m
[32;1mFetching changes with git depth set to 20...[0;m
Initialized empty Git repository in /builds/hacks4oats/issue-551333/.git/
[32;1mCreated fresh repository.[0;m
[32;1mChecking out 4cd38b60 as detached HEAD (ref is main)...[0;m

[32;1mSkipping Git submodules setup[0;m

section_end:1757956535:get_sources
[0Ksection_start:1757956535:step_script
[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m[0;m
[32;1m$ id[0;m
uid=1000(node) gid=0(root) groups=0(root),1000(node)
[32;1m$ /analyzer run[0;m
[0;32m[INFO] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/cmd/gemnasium/main.go:79] ▶ GitLab Gemnasium analyzer v6.1.10[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/common/v3@v3.4.0/cacert/bundle.go:30] ▶ importing custom CA cert bundle to: "/etc/ssl/certs/ca-certificates.crt"[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: .[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/finder/finder.go:96] ▶ skip ignored directory: .git[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/finder/detect.go:70] ▶ electing npm for npm based on lock file package-lock.json[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/finder/detect.go:92] ▶ rejecting package.json as handled by yarn[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/finder/detect.go:92] ▶ rejecting package.json as handled by pnpm[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/cmd/gemnasium/main.go:452] ▶ Exporting dependencies for /builds/hacks4oats/issue-551333/package.json[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/cmd/gemnasium/main.go:458] ▶ No builder found for package manager npm[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/advisory/repo.go:132] ▶ /usr/bin/git -C /gemnasium-db config --global safe.directory /gemnasium-db
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:35Z] [/go/src/app/advisory/repo.go:132] ▶ /usr/bin/git -C /gemnasium-db remote set-url origin https://gitlab.com/gitlab-org/security-products/gemnasium-db.git
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:36Z] [/go/src/app/advisory/repo.go:132] ▶ /usr/bin/git -C /gemnasium-db fetch --force --tags origin master
From https://gitlab.com/gitlab-org/security-products/gemnasium-db
 * branch                  master     -> FETCH_HEAD
   02a2f6dd5d..fcd288e60f  master     -> origin/master
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:38Z] [/go/src/app/advisory/repo.go:132] ▶ /usr/bin/git -C /gemnasium-db checkout master
Already on 'master'
Your branch is behind 'origin/master' by 2 commits, and can be fast-forwarded.
  (use "git pull" to update your local branch)
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:38Z] [/go/src/app/advisory/repo.go:145] ▶ /usr/bin/git -C /gemnasium-db symbolic-ref -q HEAD[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/advisory/repo.go:153] ▶ /usr/bin/git -C /gemnasium-db reset --hard origin/master
HEAD is now at fcd288e60f Merge branch 'advng/go/github.com/envoyproxy/envoy/CVE-2025-54588' into 'master'
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/advisory/repo.go:161] ▶ /usr/bin/git -C /gemnasium-db rev-parse HEAD
fcd288e60f6bc2425f319c6bf88dde3c620546b4
[0m
[0;32m[INFO] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/advisory/repo.go:165] ▶ Using commit fcd288e60f6bc2425f319c6bf88dde3c620546b4
 of vulnerability database
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/vrange/cli/cli.go:92] ▶ /vrange/npm/rangecheck.js /tmp/vrange_queries1374750230
[
  {
    "range": ">=0.2.0 <1.9.0||<0.1.10||>=7.0.0 <8.0.0||>=2.0.0 <3.3.0||>=4.0.0 <6.3.0",
    "version": "8.3.0",
    "satisfies": false
  },
  {
    "range": "<0.1.12",
    "version": "8.3.0",
    "satisfies": false
  },
  {
    "range": "<1.20.3",
    "version": "2.2.0",
    "satisfies": false
  },
  {
    "range": "<0.5.2",
    "version": "2.0.0",
    "satisfies": false
  },
  {
    "range": "< 0.5.2",
    "version": "2.0.0",
    "satisfies": false
  },
  {
    "range": "<1.0.0",
    "version": "6.14.0",
    "satisfies": false
  },
  {
    "range": "<1.0.0",
    "version": "6.14.0",
    "satisfies": false
  },
  {
    "range": ">=1.0.0 <=1.0.2||>=1.1.0 <=1.2.1||>=2.3.1 <=2.3.3||>=2.4.0 <=2.4.2||>=3.0.0 <=3.1.0||>=4.0.0 <=5.2.1||>=6.0.0 <=6.0.3||>=6.1.0 <=6.1.1||>=6.2.0 <=6.2.2||>=6.3.0 <=6.3.1",
    "version": "6.14.0",
    "satisfies": false
  },
  {
    "range": "<0",
    "version": "6.14.0",
    "satisfies": false
  },
  {
    "range": ">=6.10.0 <6.10.3||>=6.9.0 <6.9.7||>=6.8.0 <6.8.3||>=6.7.0 <6.7.3||>=6.6.0 <6.6.1||>=6.5.0 <6.5.3||>=6.4.0 <6.4.1||>=6.3.0 <6.3.3||<6.2.4",
    "version": "6.14.0",
    "satisfies": false
  },
  {
    "range": "<1.0.0",
    "version": "6.14.0",
    "satisfies": false
  },
  {
    "range": "<0.1.2",
    "version": "0.2.0",
    "satisfies": false
  },
  {
    "range": "< 0.1.2",
    "version": "0.2.0",
    "satisfies": false
  },
  {
    "range": "<0.6.1",
    "version": "1.0.0",
    "satisfies": false
  },
  {
    "range": "<= 0.6.0",
    "version": "1.0.0",
    "satisfies": false
  },
  {
    "range": "<=0.7.0",
    "version": "2.1.3",
    "satisfies": false
  },
  {
    "range": "<2.0.0",
    "version": "2.1.3",
    "satisfies": false
  },
  {
    "range": "=0.5.1",
    "version": "2.1.3",
    "satisfies": false
  },
  {
    "range": ">=2.0.0 <2.6.9||>=3.0.0 <3.1.0",
    "version": "4.4.1",
    "satisfies": false
  },
  {
    "range": "<2.6.9||>=3.0.0 <3.1.0",
    "version": "4.4.1",
    "satisfies": false
  },
  {
    "range": "=4.4.2",
    "version": "4.4.1",
    "satisfies": false
  },
  {
    "range": "<2.6.9 || >= 3.0.0 <3.1.0",
    "version": "4.4.1",
    "satisfies": false
  },
  {
    "range": "<=1.0.5",
    "version": "1.2.2",
    "satisfies": false
  },
  {
    "range": "<=1.0.3",
    "version": "1.2.2",
    "satisfies": false
  },
  {
    "range": "<1.6.5||>=1.7.0 <1.7.2",
    "version": "2.2.0",
    "satisfies": false
  },
  {
    "range": "<1.16.0||>=2.0.0 <2.1.0",
    "version": "2.2.0",
    "satisfies": false
  },
  {
    "range": "<0.7.0",
    "version": "0.7.2",
    "satisfies": false
  },
  {
    "range": "<0.8.4",
    "version": "1.2.0",
    "satisfies": false
  },
  {
    "range": "<0.11.1",
    "version": "1.2.0",
    "satisfies": false
  },
  {
    "range": "<0.19.0",
    "version": "1.2.0",
    "satisfies": false
  },
  {
    "range": "<0.8.4",
    "version": "1.2.0",
    "satisfies": false
  },
  {
    "range": "<3.11.0 || >=4.0.0-rc1 <4.5.0",
    "version": "5.1.0",
    "satisfies": false
  },
  {
    "range": "<4.17.3",
    "version": "5.1.0",
    "satisfies": false
  },
  {
    "range": "<4.0.0-rc1",
    "version": "5.1.0",
    "satisfies": false
  },
  {
    "range": "<4.19.2||>=5.0.0-alpha.1 <5.0.0-beta.3",
    "version": "5.1.0",
    "satisfies": false
  },
  {
    "range": "<4.20.0||>=5.0.0-alpha.1 <5.0.0",
    "version": "5.1.0",
    "satisfies": false
  },
  {
    "range": ">=3.4.5 <4.0.0-rc1",
    "version": "5.1.0",
    "satisfies": false
  }
]
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/libfinder/retire.go:73] ▶ /usr/local/bin/retire --outputformat json --outputpath retire-jsrepository.json --exitwith 0 --jsrepo /jsrepository-v4.json
[0m
[0;32m[INFO] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/convert/cli.go:55] ▶ using schema model 15[0m
[0;32m[INFO] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/cmd/gemnasium/main.go:434] ▶ /usr/bin/git config --global --add safe.directory /builds/hacks4oats/issue-551333
[0m
[0;35m[DEBU] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/cmd/gemnasium/main.go:439] ▶ /usr/bin/git -C /builds/hacks4oats/issue-551333 status
HEAD detached at 4cd38b6
Untracked files:
  (use "git add <file>..." to include in what will be committed)
	gl-sbom-npm-npm.cdx.json
	retire-jsrepository.json
	sbom-manifest.json

nothing added to commit but untracked files present (use "git add" to track)
[0m
[0;32m[INFO] [Gemnasium] [2025-09-15T17:15:39Z] [/go/src/app/cmd/gemnasium/main.go:402] ▶ Cannot auto-remediate dependency file, not supported: package-lock.json[0m

section_end:1757956539:step_script
[0Ksection_start:1757956539:upload_artifacts_on_success
[0K[0K[36;1mUploading artifacts for successful job[0;m[0;m
[32;1mUploading artifacts...[0;m
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories[0;m 
Uploading artifacts as "archive" to coordinator... 201 Created[0;m  correlation_id[0;m=68226e712dcebf837575129cc7cfbff9 id[0;m=11360727579 responseStatus[0;m=201 Created token[0;m=6a_8AFsTm
[32;1mUploading artifacts...[0;m
**/gl-sbom-*.cdx.json: found 1 matching artifact files and directories[0;m 
Uploading artifacts as "cyclonedx" to coordinator... 201 Created[0;m  correlation_id[0;m=7e53881f5baa76838396588760317b07 id[0;m=11360727579 responseStatus[0;m=201 Created token[0;m=6a_8AFsTm
[32;1mUploading artifacts...[0;m
gl-dependency-scanning-report.json: found 1 matching artifact files and directories[0;m 
Uploading artifacts as "dependency_scanning" to coordinator... 201 Created[0;m  correlation_id[0;m=25eca00f3569b477bcba1012de544aff id[0;m=11360727579 responseStatus[0;m=201 Created token[0;m=6a_8AFsTm

section_end:1757956542:upload_artifacts_on_success
[0Ksection_start:1757956542:cleanup_file_variables
[0K[0K[36;1mCleaning up project directory and file based variables[0;m[0;m

section_end:1757956542:cleanup_file_variables
[0K[32;1mJob succeeded[0;m

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer