Define MIX_HOME within Dockerfile to prevent dynamic runtime definition
By specifying MIX_HOME
during the image build we ensure all dependencies
are installed to the same location, preventing the location from
changing dynamically when mix is first executed.
This does not change the runtime behavior of the analyzer itself, but it is affected when executing the container through the sast
orchestrator.
Previously this led to the below error, so it appears some context switch from the docker-in-docker execution is at fault
Before
❯ docker run -it --volume "$PWD":/tmp/app --env CI_PROJECT_DIR=/tmp/app registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:latest /analyzer run
Found project in /tmp/app
❯ docker run -it --rm --env SAST_DEFAULT_ANALYZERS="sobelow" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock registry.gitlab.com/gitlab-org/security-products/sast:edge /app/bin/run code
2019/04/10 22:16:12 Copy project directory to containers
2019/04/10 22:16:12 [sobelow] Detect project using plugin
2019/04/10 22:16:12 [sobelow] Project is compatible
2019/04/10 22:16:12 [sobelow] Starting analyzer...
latest: Pulling from gitlab-org/security-products/analyzers/sobelow
Digest: sha256:150c4435f5240a2ed37bccdc9fa4cd85d4b359d4f28e332ccd5827e7d9e83453
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:latest
Found project in /tmp/app
Could not find Hex, which is needed to build dependency :phoenix
** (Mix) Could not find an SCM for dependency :phoenix from ElixirPhoenix.MixProject
2019/04/10 22:16:20 exit status 1
Shall I install Hex? (if running non-interactively, use "mix local.hex --force") [Yn] 2019/04/10 22:16:21 Container exited with non zero status code
After
❯ docker run --interactive --tty --rm --env SAST_DEFAULT_ANALYZERS="" --env SAST_ANALYZER_IMAGE_PREFIX="" --env SAST_ANALYZER_IMAGES="analyzer" --env SAST_PULL_ANALYZER_IMAGES="0" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock registry.gitlab.com/gitlab-org/security-products/sast:edge /app/bin/run code
2019/04/10 23:37:27 Copy project directory to containers
2019/04/10 23:37:27 [analyzer] No detection plugin named
2019/04/10 23:37:27 [analyzer] Starting analyzer...
Found project in /tmp/app
+----------------------------------------------------------------------------------------+
| Severity | Tool | Location |
+----------------------------------------------------------------------------------------+
| Unknown | Sobelow | lib/elixir_phoenix_web/controllers/page_controller.ex:9 |
| |
| Unsafe `binary_to_term` |
+----------------------------------------------------------------------------------------+
.....
cc @fcatteau
Edited by Lucas Charles