API Call to projects/##/jobs/##/artifacts returning 404 error

I am having an issue with downloading artifacts via the GitLab API. The problem I am seeing is similar to a few old issues posted on gitlab.com (one such issue is https://gitlab.com/gitlab-org/gitlab/-/issues/29118).

The project I am working on has a self-manged instance of GitLab Enterprise Edition 14.5.3-ee (“Ultimate” level). I am working on a pipeline that uses the built-in GitLab SAST tools, as well as other tools. I am trying to automate retrieval of the reports from the GitLab tools. I am always receive this response when I attempt to retrieve the artifacts:

`{"message":"404 Not found"}`

I first verified there were artifacts generated for the job (XXX represents either a token, domain name, user name, etc. that I cannot reveal). I also verified other information about the job by executing the following command:

curl --location --header "PRIVATE-TOKEN: XXX" "https://www.XXX.com/api/v4/projects/36/jobs/11191"

Result (whitespace added to highlight relevant information):

{"id":11191,
 "status":"success",
 "stage":"scan-code",
 "name":"bandit-sast",
 "ref":"main",

"tag":false,"coverage":null,"allow_failure":true,"created_at":"2022-02-03T16:48:24.540Z","started_at":"2022-02-03T16:49:14.588Z","finished_at":"2022-02-03T16:49:20.679Z","duration":6.091013,"queued_duration":11.370536,"user":{"id":20,"username":"XXX","name":"XXX","state":"active","avatar_url":"https://www.XXX.com/uploads/-/system/user/avatar/20/avatar.png","web_url":"https://www.XXX.com/XXX","created_at":"2021-09-08T21:30:38.630Z","bio":"","location":"","public_email":"","skype":"","linkedin":"","twitter":"","website_url":"","organization":"","job_title":"","pronouns":"","bot":false,"work_information":null,"followers":0,"following":0,"local_time":"6:07 PM"},"commit":{"id":"6fba57a20a12bcabb24fc5a1648d8166cfabda5b","short_id":"6fba57a2","created_at":"2022-02-03T16:47:37.000+00:00","parent_ids":["258a03cd8b520cf844b5219e02e970471f480b4f"],"title":"Change output format","message":"Change output format\n","author_name":"XXX","author_email":"XXX@XXX.com","authored_date":"2022-02-03T16:47:37.000+00:00","committer_name":"XXX","committer_email":"XXX@XXX.com","committed_date":"2022-02-03T16:47:37.000+00:00","trailers":{},"web_url":"https://www.XXX.com/XXX/hello-world-pipeline-test-project/-/commit/6fba57a20a12bcabb24fc5a1648d8166cfabda5b"},"pipeline":{"id":842,"project_id":36,"sha":"6fba57a20a12bcabb24fc5a1648d8166cfabda5b","ref":"main","status":"success","source":"push","created_at":"2022-02-03T16:48:24.397Z","updated_at":"2022-02-03T16:53:05.669Z",

"web_url":"https://www.XXX.com/XXX/hello-world-pipeline-test-project/-/pipelines/842"},
"web_url":"https://www.XXX.com/XXX/hello-world-pipeline-test-project/-/jobs/11191",

"artifacts":[
   {"file_type":"trace","size":3066,"filename":"job.log","file_format":null},
   {"file_type":"sast","size":279,"filename":"gl-sast-report.json","file_format":"raw"}],

"runner":{"id":14,"description":"XXX using executor=docker","ip_address":"XXX","active":true,"is_shared":false,"runner_type":"project_type","name":"gitlab-runner","online":true,"deprecated_rest_status":"online"},"artifacts_expire_at":"2022-03-05T16:49:19.914Z","tag_list":["docker-runner"]}

This output shows:

  • project id: 36
  • job id: 11191
  • pipeline id: 842
  • job name: bandit-sast
  • reference: main
  • artifacts: “job.log” and “gl-sast-report.json”

I can download these artifacts from the Pipeline UI without error, but I need to be able to download the artifacts automatically via the API for automated reporting.

I tried the following two commands (as well as several other variations I saw from reading through other issues). To rule out the token being the issue, I gave the token all privileges at the maintainer level.

curl --location --header "PRIVATE-TOKEN: XXX" "https://www.XXX.com/api/v4/projects/36/jobs/11191/artifacts"

and

curl --location --header "PRIVATE-TOKEN: XXX" "https://www.XXX.com/api/v4/projects/36/jobs/artifacts/main/download?job=bandit-sast"

Both commands returned:

{"message":"404 Not found"}

I focused on the “bandit-sast” job for this posting, but results are similar for other GitLab SAST tools when I tried pulling their artifacts.

Is there something obvious I am missing here? Or is this a know issue that is still being worked?

Thank you.

I submitted a ticket to GitLab. They determined what I was seeing was most likely a bug and they have opened issue 352644. Link: https://gitlab.com/gitlab-org/gitlab/-/issues/352644