Add support for self-signed CA certs when fetching npm packages
What does this MR do?
This MR changes the analyzer so that it sets NODE_EXTRA_CA_CERTS instead of setting the --cacert
option of the retire
command. The custom certificates set in ADDITIONAL_CA_CERT_BUNDLE
are made available to all Node.js commands, including npm
and yarn
, and not only to retire
.
Tests:
-
js-npm
pipeline with self-signed registry in.npmrc
, self-signedretire.js
db, and certs viaADDITIONAL_CA_CERT_BUNDLE
(should pass): https://gitlab.com/gitlab-org/security-products/tests/js-npm/pipelines/148198162 -
js-npm
pipeline with self-signed registry in.npmrc
, self-signedretire.js
db, and certs not set (should fail): https://gitlab.com/gitlab-org/security-products/tests/js-npm/pipelines/148202344 - [-]
js-yarn
pipeline with self-signed registry in.yarnrc
, self-signedretire.js
db, and certs viaADDITIONAL_CA_CERT_BUNDLE
(should pass): - [-]
js-yarn
pipeline with self-signed registry in.yarnrc
, self-signedretire.js
db, and certs not set (should fail):
Note: yarn
ought to work in theory, however it cannot be tested the same way as js-npm
above. It doesn't seem to pick up .yarnrc
nor .npmrc
settings for registry
. There is a known issue issue with yarn
picking up a registry config setting: https://github.com/yarnpkg/yarn/issues/4862. This is NOT because of the different syntax .yarnrc
uses. yarn simply ignores the registry
setting, even when set with yarn config set registry
and checked with yarn config get registry
. See gitlab-org/security-products/tests/js-yarn!66 (comment 379631409)
What are the relevant issue numbers?
gitlab-org/gitlab#215478 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer