I am having an issue with downloading artifacts via the GitLab API. The problem I am seeing is similar to a few old issues posted on gitlab.com (one such issue is https://gitlab.com/gitlab-org/gitlab/-/issues/29118).
The project I am working on has a self-manged instance of GitLab Enterprise Edition 14.5.3-ee (“Ultimate” level). I am working on a pipeline that uses the built-in GitLab SAST tools, as well as other tools. I am trying to automate retrieval of the reports from the GitLab tools. I am always receive this response when I attempt to retrieve the artifacts:
`{"message":"404 Not found"}`
I first verified there were artifacts generated for the job (XXX represents either a token, domain name, user name, etc. that I cannot reveal). I also verified other information about the job by executing the following command:
curl --location --header "PRIVATE-TOKEN: XXX" "https://www.XXX.com/api/v4/projects/36/jobs/11191"
Result (whitespace added to highlight relevant information):
{"id":11191,
"status":"success",
"stage":"scan-code",
"name":"bandit-sast",
"ref":"main",
"tag":false,"coverage":null,"allow_failure":true,"created_at":"2022-02-03T16:48:24.540Z","started_at":"2022-02-03T16:49:14.588Z","finished_at":"2022-02-03T16:49:20.679Z","duration":6.091013,"queued_duration":11.370536,"user":{"id":20,"username":"XXX","name":"XXX","state":"active","avatar_url":"https://www.XXX.com/uploads/-/system/user/avatar/20/avatar.png","web_url":"https://www.XXX.com/XXX","created_at":"2021-09-08T21:30:38.630Z","bio":"","location":"","public_email":"","skype":"","linkedin":"","twitter":"","website_url":"","organization":"","job_title":"","pronouns":"","bot":false,"work_information":null,"followers":0,"following":0,"local_time":"6:07 PM"},"commit":{"id":"6fba57a20a12bcabb24fc5a1648d8166cfabda5b","short_id":"6fba57a2","created_at":"2022-02-03T16:47:37.000+00:00","parent_ids":["258a03cd8b520cf844b5219e02e970471f480b4f"],"title":"Change output format","message":"Change output format\n","author_name":"XXX","author_email":"XXX@XXX.com","authored_date":"2022-02-03T16:47:37.000+00:00","committer_name":"XXX","committer_email":"XXX@XXX.com","committed_date":"2022-02-03T16:47:37.000+00:00","trailers":{},"web_url":"https://www.XXX.com/XXX/hello-world-pipeline-test-project/-/commit/6fba57a20a12bcabb24fc5a1648d8166cfabda5b"},"pipeline":{"id":842,"project_id":36,"sha":"6fba57a20a12bcabb24fc5a1648d8166cfabda5b","ref":"main","status":"success","source":"push","created_at":"2022-02-03T16:48:24.397Z","updated_at":"2022-02-03T16:53:05.669Z",
"web_url":"https://www.XXX.com/XXX/hello-world-pipeline-test-project/-/pipelines/842"},
"web_url":"https://www.XXX.com/XXX/hello-world-pipeline-test-project/-/jobs/11191",
"artifacts":[
{"file_type":"trace","size":3066,"filename":"job.log","file_format":null},
{"file_type":"sast","size":279,"filename":"gl-sast-report.json","file_format":"raw"}],
"runner":{"id":14,"description":"XXX using executor=docker","ip_address":"XXX","active":true,"is_shared":false,"runner_type":"project_type","name":"gitlab-runner","online":true,"deprecated_rest_status":"online"},"artifacts_expire_at":"2022-03-05T16:49:19.914Z","tag_list":["docker-runner"]}
This output shows:
- project id: 36
- job id: 11191
- pipeline id: 842
- job name: bandit-sast
- reference: main
- artifacts: “job.log” and “gl-sast-report.json”
I can download these artifacts from the Pipeline UI without error, but I need to be able to download the artifacts automatically via the API for automated reporting.
I tried the following two commands (as well as several other variations I saw from reading through other issues). To rule out the token being the issue, I gave the token all privileges at the maintainer level.
curl --location --header "PRIVATE-TOKEN: XXX" "https://www.XXX.com/api/v4/projects/36/jobs/11191/artifacts"
and
curl --location --header "PRIVATE-TOKEN: XXX" "https://www.XXX.com/api/v4/projects/36/jobs/artifacts/main/download?job=bandit-sast"
Both commands returned:
{"message":"404 Not found"}
I focused on the “bandit-sast” job for this posting, but results are similar for other GitLab SAST tools when I tried pulling their artifacts.
Is there something obvious I am missing here? Or is this a know issue that is still being worked?
Thank you.