I'm testing the SAST functionnality provided automatically by Gitlab.
My project (java, spring boot, maven) compiles well locally with mvn clean package.
I'm working with a hosted Gitlab and shared runners.
CI wasn't implemented yet.
I chose the generated .gitlab-ci.yml file
stages:
- test
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
And then, the job fails with a message like :
$ /analyzer run
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ GitLab Find Security Bugs analyzer v2.28.7
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ Detecting project
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ Found project in /builds/myrepo/myproject
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ Running analyzer
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ Found Mvnw project in /builds/myrepo/myproject directory
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ Found 1 analyzable projects.
[INFO] [Find Security Bugs] [2021-11-01T16:27:54Z] ▶ Building Mvnw project at /builds/myrepo/myproject.
[ERRO] [Find Security Bugs] [2021-11-01T16:29:08Z] ▶ Project couldn't be built: exit status 1
[FATA] [Find Security Bugs] [2021-11-01T16:29:08Z] ▶ exit status 1
How can I know what went wrong ?
The error is in the second to last line of the container:
[ERRO] [Find Security Bugs] [2021-11-01T16:29:08Z] ▶ Project couldn't be built: exit status 1
[FATA] [Find Security Bugs] [2021-11-01T16:29:08Z] ▶ exit status 1
Assuming that your maven job is building fine locally, and it's building fine in a different maven container, I'd suggest that you configure the logging on the SAST job using the logging levels defined in the documentation, and gather some additional information: https://docs.gitlab.com/ee/user/application_security/sast/#logging-level
Related
I'm attempting to setup GitLab dependency scanning for a repository in my self-hosted GitLab server. I have included the job template and the test stage since I have overridden the stage clause. The job starts, but it fails soon after. When I set the variable SECURE_LOG_LEVEL to debug I see the following output.
$ /analyzer run
Using java version 'adoptopenjdk-17.0.2+8'
[INFO] [gemnasium-maven] [2023-01-28T15:21:00Z] [/go/src/app/cmd/gemnasium-maven/main.go:55] ▶ GitLab gemnasium-maven analyzer v3.11.1
[DEBU] [gemnasium-maven] [2023-01-28T15:21:00Z] [/go/src/app/finder/finder.go:64] ▶ inspect directory: .
[DEBU] [gemnasium-maven] [2023-01-28T15:21:00Z] [/go/src/app/finder/finder.go:96] ▶ skip ignored directory: .git
[DEBU] [gemnasium-maven] [2023-01-28T15:21:00Z] [/go/src/app/finder/detect.go:84] ▶ Selecting gradle for maven because this is the first match
[INFO] [gemnasium-maven] [2023-01-28T15:21:00Z] [/go/src/app/finder/finder.go:116] ▶ Detected supported dependency files in '.'. Dependency files detected in this directory will be processed. Dependency files in other directories will be skipped.
[DEBU] [gemnasium-maven] [2023-01-28T15:21:00Z] [/go/src/app/cmd/gemnasium-maven/main.go:234] ▶ Exporting dependencies for /path/to/my/app/build.gradle
[DEBU] [gemnasium-maven] [2023-01-28T15:21:05Z] [/go/src/app/builder/gradle/gradle.go:85] ▶ /path/to/my/app/gradlew --init-script /gemnasium-gradle-plugin-init.gradle gemnasiumDumpDependencies
Downloading https://services.gradle.org/distributions/gradle-7.1.1-bin.zip
..........10%...........20%...........30%..........40%...........50%...........60%..........70%...........80%...........90%...........100%
Welcome to Gradle 7.1.1!
Here are the highlights of this release:
- Faster incremental Java compilation
- Easier source set configuration in the Kotlin DSL
For more details see https://docs.gradle.org/7.1.1/release-notes.html
Starting a Gradle Daemon (subsequent builds will be faster)
FAILURE: Build failed with an exception.
* Where:
Initialization script '/gemnasium-gradle-plugin-init.gradle'
* What went wrong:
Could not compile initialization script '/gemnasium-gradle-plugin-init.gradle'.
> startup failed:
> General error during conversion: Unsupported class file major version 61
java.lang.IllegalArgumentException: Unsupported class file major version 61
at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:189)
at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:170)
at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:156)
at groovyjarjarasm.asm.ClassReader.<init>(ClassReader.java:277)
...
How can I resolve this issue? I am using GitLab server v15.7.5.
I found a StackOverflow thread that is very similar to the issue I'm having.
It appears the version of ASM bundled with GitLab gemnasium-maven analyzer v3.11 does not support class files version 61 in Java v17.0.2+8.
I was able to get this working by downgrading GitLab gemnasium-maven analyzer to v2.31.0 and have filed a support request with GitLab to notify them of the issue.
To downgrade the dependency scanner, add the following block of code to your CICD template
.ds-analyzer:
variables:
DS_MAJOR_VERSION: 2
I am trying to use Infrastructure as Code (IaC) Scanning scans my IaC configuration files for known vulnerabilities. Reference: https://docs.gitlab.com/ee/user/application_security/iac_scanning/. However, I encountered the system problem in the pipeline.
[DEBU] [kics] [2022-11-11T03:55:29Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command#v1.9.2/run.go:256] ▶ SAST_EXCLUDED_PATHS=spec,test,tests,tmp39
[INFO] [kics] [2022-11-11T03:55:29Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command#v1.9.2/run.go:131] ▶ Detecting project
[INFO] [kics] [2022-11-11T03:55:29Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command#v1.9.2/run.go:153] ▶ Analyzer will attempt to analyze all projects in the repository41
[INFO] [kics] [2022-11-11T03:55:29Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command#v1.9.2/run.go:165] ▶ Running analyzer42
[DEBU] [kics] [2022-11-11T03:55:29Z] [/go/src/app/analyze.go:48] ▶ custom rulesets not enabled
[INFO] [kics] [2022-11-11T03:55:29Z] [/go/src/app/analyze.go:67] ▶ path /builds/leo/tcf
[ERRO] [kics] [2022-11-11T03:55:38Z] [/go/src/app/analyze.go:87] ▶ Encountered a system problem; status code: 2, error: exit status 2, detail:
[FATA] [kics] [2022-11-11T03:55:38Z] [/go/src/app/main.go:30] ▶ kics scanner failure: exit status 2
Uploading artifacts for failed job00:0048Uploading artifacts...
WARNING: gl-sast-report.json: no matching files. Ensure that the artifact path is relative to the working directory
ERROR: No files to upload
Cleaning up project directory and file based variables00:0154ERROR: Job failed: exit code 1
I can't find relevant information about the errors. How can I solve the errors?
You can use your own config, independent of the GitLab template.
gitlab-ci.yml:
image:
name: checkmarx/kics:latest
entrypoint: [""]
script:
- kics scan -q /app/bin/assets/queries -p ${PWD} --ignore-on-exit all --report-formats glsast -o ${PWD} --output-name kics-results
artifacts:
reports:
sast: gl-sast-kics-results.json
when: always
I have an error when using the template for IaC SAST.
Gitlab is 14.10, installed in my cloud, and accessible from the internet (I changed my real GitLab ULR to owngitlab.com)
The GitLab runner is installed in k8s.
Try to use SAST in my projects, but I get errors. Could somebody please help with this?
Here is part of my .gitlab-ci.yml
include:
- template: Security/SAST-IaC.latest.gitlab-ci.yml
stages:
- test
Pipeline log:
$ /analyzer run
[INFO] [kics] [2022-05-20T12:41:44Z] ▶ GitLab kics analyzer v1.5.2
[INFO] [kics] [2022-05-20T12:41:44Z] ▶ Detecting project
[INFO] [kics] [2022-05-20T12:41:44Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [kics] [2022-05-20T12:41:44Z] ▶ Running analyzer
[INFO] [kics] [2022-05-20T12:41:44Z] ▶ path /builds/tf/modules
[INFO] [kics] [2022-05-20T12:42:43Z] ▶ Creating report
[WARN] [kics] [2022-05-20T12:42:43Z] ▶ Could not detect git executable
Uploading artifacts for successful job
Uploading artifacts...
gl-sast-report.json: found 1 matching files and directories
ERROR: Uploading artifacts as "sast" to coordinator... error error=couldn't execute POST against https://owngitlab.com/api/v4/jobs/139/artifacts?artifact_format=raw&artifact_type=sast: Post "https://owngitlab.com/api/v4/jobs/139/artifacts?artifact_format=raw&artifact_type=sast": open gl-sast-report.json: permission denied id=139 token=hZ5dXhA7
WARNING: Retrying... context=artifacts-uploader error=invalid argument
ERROR: Uploading artifacts as "sast" to coordinator... error error=couldn't execute POST against https://owngitlab.com/api/v4/jobs/139/artifacts?artifact_format=raw&artifact_type=sast: Post "https://owngitlab.com/api/v4/jobs/139/artifacts?artifact_format=raw&artifact_type=sast": open gl-sast-report.json: permission denied id=139 token=hZ5dXhA7
WARNING: Retrying... context=artifacts-uploader error=invalid argument
ERROR: Uploading artifacts as "sast" to coordinator... error error=couldn't execute POST against https://owngitlab.com/api/v4/jobs/139/artifacts?artifact_format=raw&artifact_type=sast: Post "https://owngitlab.com/api/v4/jobs/139/artifacts?artifact_format=raw&artifact_type=sast": open gl-sast-report.json: permission denied id=139 token=hZ5dXhA7
FATAL: invalid argument
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: command terminated with exit code 1
I am running the 32-bit build of Ubuntu 18.04 and attempting to build a 32-bit Jenkins from the source.
It fails in the last stage (see below) because it cannot find a Linux x86 build of Nodejs. They don't make 32-bit versions for Linux anymore. I'm fine with that - I have downloaded the 14.15.4 Nodejs sources and built my own 32-bit version. How can I override the Jenkins maven build that is attempting to download a non-existent package directly from the Nodejs distribution site?
I have tried prepositioning my home-built node-14.15.4-linux-x86.tar.gz in the appropriate location, but the build is getting killed because the package does not exist on the website it is attempting to download from (404 - Not Found). If I could stop it trying to download or tell it to pull the .tar.gz package from the local filesystem, I think that should fix the problem. I haven't found anything online and maven configurations are completely foreign to me.
[INFO] Installing node version v14.15.4
[INFO] Downloading https://nodejs.org/dist/v14.15.4/node-v14.15.4-linux-x86.tar.gz to /home/scott/.m2/repository/com/github/eirslett/node/14.15.4/node-14.15.4-linux-x86.tar.gz
[INFO] No proxies configured
[INFO] No proxy was configured, downloading directly
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Jenkins main module 2.275-SNAPSHOT:
[INFO]
[INFO] Jenkins main module ................................ SUCCESS [ 4.868 s]
[INFO] Jenkins BOM ........................................ SUCCESS [ 0.156 s]
[INFO] Jenkins cli ........................................ SUCCESS [ 10.285 s]
[INFO] Jenkins core ....................................... SUCCESS [01:12 min]
[INFO] Jenkins war ........................................ FAILURE [ 4.536 s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:35 min
[INFO] Finished at: 2021-01-08T00:47:30-06:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.github.eirslett:frontend-maven-plugin:1.11.0:install-node-and-yarn (install node and yarn) on project jenkins-war: Could not download Node.js: Got error code 404 from the server. -> [Help 1]
I am trying to follow the steps in https://spring.io/guides/gs/spring-boot-for-azure/. Under Config and deploy the app to Azure, when I run the "mvn com.microsoft.azure:azure-webapp-maven-plugin:1.8.0:config" command, the execution starts but doesn't complete. It stops where it is supposed to take user inputs but doesn't accept any values. Please find the execution logs below -
PS C:\Users\rthan\OneDrive\Documents\code\rest-service> mvn com.microsoft.azure:azure-webapp-maven-plugin:1.8.0:config
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------< com.rainbowhomes:rest-service >--------------------
[INFO] Building rest-service 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- azure-webapp-maven-plugin:1.8.0:config (default-cli) # rest-service ---
[WARNING] The plugin may not work if you change the os of an existing webapp.
Define value for OS(Default: Linux):
1. linux [*]
2. windows
3. docker
Not sure what caused the issue, but if you want to deploy a Spring Boot app to Azure, you could refer to this doc, I successfully deployed the application via this doc last time, see this post.