Security templates pull in latest analyzers, ignoring major
Problem to solve
Our security templates are currently configured to pass SAST_ANALYZER_IMAGE_TAG
if defined. This does not appear to work correctly however as it's overriding the predefined SAST_ANALYZER_IMAGE_TAG
configuration defined within our wrapper project pipelines: https://gitlab.com/gitlab-org/security-products/sast/blob/master/.gitlab-ci.yml#L101.
This effectively means that our templates are running off master
instead of our major releases
gosec:2
)
Expected behavior (pulls ❯ docker run \
> --interactive --tty --rm \
> --volume "$PWD":/code \
> --volume /var/run/docker.sock:/var/run/docker.sock \
> registry.gitlab.com/gitlab-org/security-products/sast:${VERSION:-latest} /app/bin/run /code
2019/03/26 17:29:07 Copy project directory to containers
2019/03/26 17:29:07 [bandit] Detect project using plugin
2019/03/26 17:29:07 [bandit] Project not compatible
2019/03/26 17:29:07 [brakeman] Detect project using plugin
2019/03/26 17:29:07 [brakeman] Project not compatible
2019/03/26 17:29:07 [eslint] Detect project using plugin
2019/03/26 17:29:07 [eslint] Project not compatible
2019/03/26 17:29:07 [find-sec-bugs] Detect project using plugin
2019/03/26 17:29:07 [find-sec-bugs] Project not compatible
2019/03/26 17:29:07 [find-sec-bugs-gradle] Detect project using plugin
2019/03/26 17:29:07 [find-sec-bugs-gradle] Project not compatible
2019/03/26 17:29:07 [find-sec-bugs-groovy] Detect project using plugin
2019/03/26 17:29:07 [find-sec-bugs-groovy] Project not compatible
2019/03/26 17:29:07 [find-sec-bugs-sbt] Detect project using plugin
2019/03/26 17:29:07 [find-sec-bugs-sbt] Project not compatible
2019/03/26 17:29:07 [flawfinder] Detect project using plugin
2019/03/26 17:29:07 [flawfinder] Project not compatible
2019/03/26 17:29:07 [gosec] Detect project using plugin
2019/03/26 17:29:07 [gosec] Project is compatible
2019/03/26 17:29:07 [gosec] Starting analyzer...
2: Pulling from gitlab-org/security-products/analyzers/gosec
Digest: sha256:b88d41c7254428b7917baa8bbda2a4f5edb01407a711383117e49d94cad749d7
Status: Image is up to date for registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2
...
gosec:latest
)
Unexpected template behavior (pulls
❯ docker run \
> --env SAST_ANALYZER_IMAGES \
> --env SAST_ANALYZER_IMAGE_PREFIX \
> --env SAST_ANALYZER_IMAGE_TAG \
> --env SAST_DEFAULT_ANALYZERS \
> --env SAST_BRAKEMAN_LEVEL \
> --env SAST_GOSEC_LEVEL \
> --env SAST_FLAWFINDER_LEVEL \
> --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
> --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
> --env SAST_RUN_ANALYZER_TIMEOUT \
> --volume "$PWD:/code" \
> --volume /var/run/docker.sock:/var/run/docker.sock \
> "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
2019/03/26 17:30:53 Copy project directory to containers
2019/03/26 17:30:53 [bandit] Detect project using plugin
2019/03/26 17:30:53 [bandit] Project not compatible
2019/03/26 17:30:53 [brakeman] Detect project using plugin
2019/03/26 17:30:53 [brakeman] Project not compatible
2019/03/26 17:30:53 [eslint] Detect project using plugin
2019/03/26 17:30:53 [eslint] Project not compatible
2019/03/26 17:30:53 [flawfinder] Detect project using plugin
2019/03/26 17:30:53 [flawfinder] Project not compatible
2019/03/26 17:30:53 [gosec] Detect project using plugin
2019/03/26 17:30:53 [gosec] Project is compatible
2019/03/26 17:30:53 [gosec] Starting analyzer...
latest: Pulling from gitlab-org/security-products/analyzers/gosec
Digest: sha256:b88d41c7254428b7917baa8bbda2a4f5edb01407a711383117e49d94cad749d7
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:latest
...
The expected behavior can be achieved by dropping --env SAST_ANALYZER_IMAGE_TAG
from the templated configuration
Intended users
Further details
Proposal
Permissions and Security
No permission changes
Documentation
What does success look like, and how can we measure that?
Our templated jobs should be pinned to $MAJOR
tool versions but respect overriding of SAST_ANALYZER_IMAGE_TAG
What is the type of buyer?
Links / references
Execution
-
Fix the resetting of Dockerfile env vars in CI vendored template SAST -
Fix the resetting of Dockerfile env vars in CI vendored template Dependency Scanning
Edited by Victor Zagorodny