Problem to solve
When activating the SAST scanning policy, two Maven dependency scanners are initiated:
gemnasium-maven-dependency_scanninggemnasium-maven-dependency-scanning-3
For the first scanner (gemnasium-maven-dependency_scanning), the before_script executes successfully, setting up the necessary Maven settings file using the custom script:
gemnasium-maven-dependency_scanning:
before_script:
- source <(curl -s https://some.url.com/mvn-create-settings.bash)
gemnasium-maven-dependency-scanning-3:
before_script:
- source <(curl -s https://some.url.com/mvn-create-settings.bash)
However, for the second scanner (gemnasium-maven-dependency-scanning-3), the before_script does not execute as expected . This results in the Maven settings file not being correctly configured, leading to the following error during execution:
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.
Successfully extracted cache
Executing "step_script" stage of the job script
$ /analyzer run
Using java version 'adoptopenjdk-17.0.8+101'
Interestingly, if the before_script is defined at the top level, both scanners execute correctly. However, this approach is undesirable as it forces the before_script to run for all jobs, not just the dependency scanning jobs.
The goal is to ensure that the before_script runs correctly for both Maven dependency scanners without applying it to all jobs in the pipeline.
Steps to reproduce
- Configure SAST Scanning Policy:
- Activate the SAST scanning policy in your GitLab CI/CD pipeline.
- This activation initiates two Maven dependency scanners:
gemnasium-maven-dependency_scanningandgemnasium-maven-dependency-scanning-3. - Set Up
before_scriptfor Scanners: - For
gemnasium-maven-dependency_scanning, add the followingbefore_scriptto generate the Maven settings file:
gemnasium-maven-dependency_scanning:
before_script:
- 'echo "Running job: |$CI_JOB_NAME|"'
- For
gemnasium-maven-dependency-scanning-3, attempt to comment out thebefore_scriptand replace it with a comment:
gemnasium-maven-dependency-scanning-3:
before_script:
- 'echo "Running job: |$CI_JOB_NAME|"'
- Run the Pipeline:
- Execute the CI/CD pipeline and observe the behavior of both scanners.
- Notice that while the first scanner runs successfully, the second scanner fails due to the missing Maven settings configuration.
- Alternative Approach:
- Move the
before_scriptto the top level of the CI configuration:
before_script:
- 'echo "Running job: |$CI_JOB_NAME|"'
- Run the pipeline again to confirm that both scanners execute successfully.
- However, this approach applies the
before_scriptto all jobs, which is not desirable. - Expected Behavior:
- Both Maven dependency scanners should execute successfully with their respective configurations without requiring the
before_scriptto be globally applied to all jobs.
Configuration
name: Scan Everything
description: We test to run all of the scanners by default to learn.
enabled: true
actions:
- scan: secret_detection
- scan: sast
- scan: container_scanning
- scan: container_scanning
- scan: dependency_scanning
rules:
- type: pipeline
branch_type: all
- type: schedule
cadence: 0 0 * * 6
branch_type: all
timezone: Europe/Stockholm
policy_scope:
projects:
excluding: []
Versions
Please check whether options apply, and add the version information.
- Self-managed
-
GitLab.com SaaS - Dedicated
- Self-hosted Runners
Versions
- GitLab (Web:
/helpor self-managed system informationsudo gitlab-rake gitlab:env:info): - GitLab Runner, if self-hosted (Web
/admin/runnersor CLIgitlab-runner --version):