Fix git certificate error when using ADDITIONAL_CA_CERT_BUNDLE

What does this MR do?

This MR fixes a bug that occurs when running gemnasium after configuring ADDITIONAL_CA_CERT_BUNDLE to any valid certificate which does not belong to gitlab.com.

Testing

Before Change:

analyzer fails with exit status 128

git clone git@gitlab.com:gitlab-org/security-products/tests/js-npm.git

docker run -it --rm -v "$PWD/js-npm":/tmp/app \
   -e SECURE_LOG_LEVEL=debug \
   -e ADDITIONAL_CA_CERT_BUNDLE="$(true | openssl s_client -connect google.com:443 -servername google.com 2>/dev/null | openssl x509)" \
   -e CI_PROJECT_DIR=/tmp/app \
   registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
[INFO] [Gemnasium] [2021-12-09T08:40:47Z] ▶ GitLab Gemnasium analyzer v2.29.8
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ scanning directory: .
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ skip ignored directory: .git
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ electing npm for npm based on lock file package-lock.json
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ rejecting package.json as handled by yarn
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ electing npm for npm based on lock file package-lock.json
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ rejecting package.json as handled by yarn
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ scanning directory: qa
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ scanning directory: qa/expect
[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ /usr/bin/git -C /gemnasium-db remote set-url origin https://gitlab.com/gitlab-org/security-products/gemnasium-db.git

[DEBU] [Gemnasium] [2021-12-09T08:40:47Z] ▶ /usr/bin/git -C /gemnasium-db fetch --force --tags origin master
fatal: unable to access 'https://gitlab.com/gitlab-org/security-products/gemnasium-db.git/': SSL certificate problem: unable to get local issuer certificate

exit status 128

After Change:

Analyzer succeeds:

git clone git@gitlab.com:gitlab-org/security-products/tests/js-npm.git

docker run -it --rm -v "$PWD/js-npm":/tmp/app \
   -e SECURE_LOG_LEVEL=debug \
   -e ADDITIONAL_CA_CERT_BUNDLE="$(true | openssl s_client -connect google.com:443 -servername google.com 2>/dev/null | openssl x509)" \
   -e CI_PROJECT_DIR=/tmp/app \
   registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp:d3ebc575657cd144809bfabe8f15763af0eb3dbc
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp:d3ebc575657cd144809bfabe8f15763af0eb3dbc' locally
d3ebc575657cd144809bfabe8f15763af0eb3dbc: Pulling from gitlab-org/security-products/analyzers/gemnasium/tmp
8572bc8fb8a3: Pull complete
deb9bf3f8217: Pull complete
184475cc8326: Pull complete
cbb01e2e355f: Pull complete
0891028fe891: Pull complete
a854db004a74: Pull complete
85a4aa384e24: Pull complete
79409754f882: Pull complete
Digest: sha256:dd8d9eef5d276ac503ca888c241166452314b4e43c655fdc08e1c6ffe5ae2ee8
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp:d3ebc575657cd144809bfabe8f15763af0eb3dbc
[INFO] [Gemnasium] [2021-12-09T08:41:40Z] ▶ GitLab Gemnasium analyzer v2.30.2
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ inspect directory: .
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ skip ignored directory: .git
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ electing npm for npm based on lock file package-lock.json
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ rejecting package.json as handled by yarn
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ electing npm for npm based on lock file package-lock.json
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ rejecting package.json as handled by yarn
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ inspect directory: qa
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ inspect directory: qa/expect
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ skip sub-directories
[DEBU] [Gemnasium] [2021-12-09T08:41:40Z] ▶ /usr/bin/git -C /gemnasium-db remote set-url origin https://gitlab.com/gitlab-org/security-products/gemnasium-db.git

[DEBU] [Gemnasium] [2021-12-09T08:41:41Z] ▶ /usr/bin/git -C /gemnasium-db fetch --force --tags origin master
From https://gitlab.com/gitlab-org/security-products/gemnasium-db
 * branch                master     -> FETCH_HEAD

[DEBU] [Gemnasium] [2021-12-09T08:41:41Z] ▶ /usr/bin/git -C /gemnasium-db checkout master
Already on 'master'
Your branch is up to date with 'origin/master'.

[DEBU] [Gemnasium] [2021-12-09T08:41:41Z] ▶ /usr/bin/git -C /gemnasium-db symbolic-ref -q HEAD
[DEBU] [Gemnasium] [2021-12-09T08:41:41Z] ▶ /usr/bin/git -C /gemnasium-db reset --hard origin/master
HEAD is now at e208e0f84 Merge branch 'CVE-2019-17495' into 'master'

[DEBU] [Gemnasium] [2021-12-09T08:41:41Z] ▶ /usr/bin/git -C /gemnasium-db rev-parse HEAD
e208e0f84ae139db57be5c8defdd10d5ea03cf4d

[INFO] [Gemnasium] [2021-12-09T08:41:41Z] ▶ Using commit e208e0f84ae139db57be5c8defdd10d5ea03cf4d
 of vulnerability database

[DEBU] [Gemnasium] [2021-12-09T08:41:42Z] ▶ /usr/bin/git -C /tmp/app status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean

[INFO] [Gemnasium] [2021-12-09T08:41:42Z] ▶ Cannot auto-remediate dependency file, not supported: package-lock.json

What are the relevant issue numbers?

gitlab-org/gitlab#334999 (closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer