Upgrade core deps, remove no-op commands from Dockerfile, fix custom cert issues
What does this MR do?
- Bumps the
commonandcommandlibraries to their latest versions. - Removes some commands from the
Dockerfilethat weren't actually doing anything. - Adds a fix to the
Dockerfileto allow custom certs to work on OpenShift.
The main purpose of this change was to support double star glob patterns, but bumping these packages also resolved an issue with using custom CA certs in the FIPS image.
This problem was caused by a mismatch in the certificate bundle path between the Dockerfile.fips and version 2.24.0 of common which was being used prior to this bump. You can see evidence of this issue by looking at this pipeline that was run on an earlier commit of this branch. Upgrading the command package solves this, because the common/cacert package is indirectly invoked by it, and not the analyser.
Commands in the non-FIPS Dockerfile to set up the semgrep user and grant it permissions on the .pem file were also removed, as they were effectively a no-op. USER semgrep was never specified in the runtime stage of the Dockerfile (so the analyser was running under root), and the .pem file is no longer used in common > 2.24.0. A small change was also made to set the correct permissions on the cert bundle, to allow custom certs to work properly when running on OpenShift.
What are the relevant issue numbers?
- gitlab-org/gitlab#224440 (closed)
- gitlab-org/gitlab#327438 (closed)
- gitlab-org/gitlab#350625 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer