Add support for self-signed CA certs when fetching npm packages
What does this MR do?
This MR changes the analyzer so that it sets NODE_EXTRA_CA_CERTS instead of setting the --cacert option of the retire command. The custom certificates set in ADDITIONAL_CA_CERT_BUNDLE are made available to all Node.js commands, including npm and yarn, and not only to retire.
Tests:
-
js-npmpipeline with self-signed registry in.npmrc, self-signedretire.jsdb, and certs viaADDITIONAL_CA_CERT_BUNDLE(should pass): https://gitlab.com/gitlab-org/security-products/tests/js-npm/pipelines/148198162 -
js-npmpipeline with self-signed registry in.npmrc, self-signedretire.jsdb, and certs not set (should fail): https://gitlab.com/gitlab-org/security-products/tests/js-npm/pipelines/148202344 - [-]
js-yarnpipeline with self-signed registry in.yarnrc, self-signedretire.jsdb, and certs viaADDITIONAL_CA_CERT_BUNDLE(should pass): - [-]
js-yarnpipeline with self-signed registry in.yarnrc, self-signedretire.jsdb, and certs not set (should fail):
Note: yarn ought to work in theory, however it cannot be tested the same way as js-npm above. It doesn't seem to pick up .yarnrc nor .npmrc settings for registry. There is a known issue issue with yarn picking up a registry config setting: https://github.com/yarnpkg/yarn/issues/4862. This is NOT because of the different syntax .yarnrc uses. yarn simply ignores the registry setting, even when set with yarn config set registry and checked with yarn config get registry. See gitlab-org/security-products/tests/js-yarn!66 (comment 379631409)
What are the relevant issue numbers?
gitlab-org/gitlab#215478 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer