I’m trying to run a SAST job with a Ruby application. Brakeman appears to run, but there is no table output and the gl-sast-report.json file only contains null.
Here’s the job output:
Running with gitlab-runner 11.7.0-rc1 (6e20bd76)
on docker-auto-scale 72989761
Using Docker executor with image docker:stable ...
Starting service docker:stable-dind ...
Pulling docker image docker:stable-dind ...
Using docker image sha256:dfd9350d475b431e4b9b037fe31f4f0df70d597688776f3b13e273a8c2ecc680 for docker:stable-dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:21df41782cc5884b85b5d32f3d0ec552aaee712e2bd09488ac0a7a36d7d4e4b0 for docker:stable ...
Running on runner-72989761-project-9192232-concurrent-0 via runner-72989761-srm-1547102768-53a79a66...
Cloning repository...
Cloning into '/builds/thed000d/referee_auction'...
Checking out 2adf6556 as master...
Skipping Git submodules setup
$ # Auto DevOps variables and functions # collapsed multi-line command
$ export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
$ docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/sast:11-6-stable' locally
11-6-stable: Pulling from gitlab-org/security-products/sast
606553c8bef5: Pulling fs layer
606553c8bef5: Verifying Checksum
606553c8bef5: Download complete
606553c8bef5: Pull complete
Digest: sha256:6f7855efad8d8293daa0149abb06fa21697a1b908b6e82de22409cf3f0166faa
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/sast:11-6-stable
2019/01/10 06:47:17 Copy project directory to containers
2019/01/10 06:47:17 [bandit] Detect project using plugin
2019/01/10 06:47:17 [bandit] Project not compatible
2019/01/10 06:47:17 [brakeman] Detect project using plugin
2019/01/10 06:47:17 [brakeman] Project is compatible
2019/01/10 06:47:17 [brakeman] Starting analyzer...
1: Pulling from gitlab-org/security-products/analyzers/brakeman
bc9ab73e5b14: Pulling fs layer
193a6306c92a: Pulling fs layer
e5c3f8c317dc: Pulling fs layer
a587a86c9dcb: Pulling fs layer
72744d0a318b: Pulling fs layer
31d57ef7a684: Pulling fs layer
4eaef54651ae: Pulling fs layer
9ba5073d9663: Pulling fs layer
720eed968ce7: Pulling fs layer
53035c22e68b: Pulling fs layer
a587a86c9dcb: Waiting
72744d0a318b: Waiting
31d57ef7a684: Waiting
4eaef54651ae: Waiting
9ba5073d9663: Waiting
720eed968ce7: Waiting
53035c22e68b: Waiting
e5c3f8c317dc: Verifying Checksum
e5c3f8c317dc: Download complete
193a6306c92a: Verifying Checksum
193a6306c92a: Download complete
bc9ab73e5b14: Verifying Checksum
bc9ab73e5b14: Download complete
31d57ef7a684: Verifying Checksum
31d57ef7a684: Download complete
4eaef54651ae: Verifying Checksum
4eaef54651ae: Download complete
a587a86c9dcb: Verifying Checksum
a587a86c9dcb: Download complete
720eed968ce7: Verifying Checksum
720eed968ce7: Download complete
9ba5073d9663: Verifying Checksum
9ba5073d9663: Download complete
53035c22e68b: Verifying Checksum
53035c22e68b: Download complete
72744d0a318b: Verifying Checksum
72744d0a318b: Download complete
bc9ab73e5b14: Pull complete
193a6306c92a: Pull complete
e5c3f8c317dc: Pull complete
a587a86c9dcb: Pull complete
72744d0a318b: Pull complete
31d57ef7a684: Pull complete
4eaef54651ae: Pull complete
9ba5073d9663: Pull complete
720eed968ce7: Pull complete
53035c22e68b: Pull complete
Digest: sha256:c54a85a20a9201b3cdf98fc4b840bf1ca933881bdfd887ec36f3a7bcd3f31413
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/brakeman:1
Found project in /tmp/app
Loading scanner...
Processing application in /tmp/app
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
0/8 files processed
1/8 files processed
2/8 files processed
3/8 files processed
4/8 files processed
5/8 files processed
6/8 files processed
7/8 files processed
Processing libs...
0/1 files processed
Processing routes...
Processing templates...
0/1 templates processed
Processing data flow in templates...
0/1 templates processed
Processing models...
0/10 files processed
1/10 files processed
2/10 files processed
3/10 files processed
4/10 files processed
5/10 files processed
6/10 files processed
7/10 files processed
8/10 files processed
9/10 files processed
Processing controllers...
0/6 files processed
1/6 files processed
2/6 files processed
3/6 files processed
4/6 files processed
5/6 files processed
Processing data flow in controllers...
0/6 controllers processed
1/6 controllers processed
2/6 controllers processed
3/6 controllers processed
4/6 controllers processed
5/6 controllers processed
Indexing call sites...
Running checks in parallel...
- CheckBasicAuth
- CheckBasicAuthTimingAttack
- CheckCrossSiteScripting
- CheckContentTag
- CheckCreateWith
- CheckDefaultRoutes
- CheckDeserialize
- CheckDetailedExceptions
- CheckDigestDoS
- CheckDynamicFinders
- CheckEscapeFunction
- CheckEvaluation
- CheckExecute
- CheckFileAccess
- CheckFileDisclosure
- CheckFilterSkipping
- CheckForgerySetting
- CheckHeaderDoS
- CheckI18nXSS
- CheckJRubyXML
- CheckJSONEncoding
- CheckJSONParsing
- CheckLinkTo
- CheckLinkToHref
- CheckMailTo
- CheckMassAssignment
- CheckMimeTypeDoS
- CheckModelAttrAccessible
- CheckModelAttributes
- CheckModelSerialize
- CheckNestedAttributes
- CheckNestedAttributesBypass
- CheckNumberToCurrency
- CheckPermitAttributes
- CheckQuoteTableName
- CheckRedirect
- CheckRegexDoS
- CheckRender
- CheckRenderDoS
- CheckRenderInline
- CheckResponseSplitting
- CheckRouteDoS
- CheckSafeBufferManipulation
- CheckSanitizeMethods
- CheckSelectTag
- CheckSelectVulnerability
- CheckSend
- CheckSendFile
- CheckSessionManipulation
- CheckSessionSettings
- CheckSimpleFormat
- CheckSingleQuotes
- CheckSkipBeforeFilter
- CheckSQL
- CheckSQLCVEs
- CheckSSLVerify
- CheckStripTags
- CheckSymbolDoSCVE
- CheckTranslateBug
- CheckUnsafeReflection
- CheckValidationRegex
- CheckWithoutProtection
- CheckXMLDoS
- CheckYAMLParsing
Checks finished, collecting results...
Generating report...
Report saved in '/tmp/brakeman.json'
2019/01/10 06:47:44 [gosec] Detect project using plugin
2019/01/10 06:47:44 [gosec] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs-gradle] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs-gradle] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs-sbt] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs-sbt] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs-groovy] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs-groovy] Project not compatible
2019/01/10 06:47:44 [flawfinder] Detect project using plugin
2019/01/10 06:47:44 [flawfinder] Project not compatible
2019/01/10 06:47:44 [phpcs-security-audit] Detect project using plugin
2019/01/10 06:47:44 [phpcs-security-audit] Project not compatible
2019/01/10 06:47:44 [security-code-scan] Detect project using plugin
2019/01/10 06:47:44 [security-code-scan] Project not compatible
2019/01/10 06:47:44 [nodejs-scan] Detect project using plugin
2019/01/10 06:47:44 [nodejs-scan] Project not compatible
+----------------------------------------------------------------------------------------+
| Severity | Tool | Location |
+----------------------------------------------------------------------------------------+
Uploading artifacts...
gl-sast-report.json: found 1 matching files
Uploading artifacts to coordinator... ok id=143835025 responseStatus=201 Created token=VFGxNN6x
Job succeeded
And the configuration in my .gitlab-ci.yml file:
sast:
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
artifacts:
paths: [gl-sast-report.json]