SAST artifact is 'null'


#1

I’m trying to run a SAST job with a Ruby application. Brakeman appears to run, but there is no table output and the gl-sast-report.json file only contains null.

Here’s the job output:

Running with gitlab-runner 11.7.0-rc1 (6e20bd76)
  on docker-auto-scale 72989761
Using Docker executor with image docker:stable ...
Starting service docker:stable-dind ...
Pulling docker image docker:stable-dind ...
Using docker image sha256:dfd9350d475b431e4b9b037fe31f4f0df70d597688776f3b13e273a8c2ecc680 for docker:stable-dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:21df41782cc5884b85b5d32f3d0ec552aaee712e2bd09488ac0a7a36d7d4e4b0 for docker:stable ...
Running on runner-72989761-project-9192232-concurrent-0 via runner-72989761-srm-1547102768-53a79a66...
Cloning repository...
Cloning into '/builds/thed000d/referee_auction'...
Checking out 2adf6556 as master...
Skipping Git submodules setup
$ # Auto DevOps variables and functions # collapsed multi-line command
$ export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
$ docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" --volume "$PWD:/code" --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
Unable to find image 'registry.gitlab.com/gitlab-org/security-products/sast:11-6-stable' locally
11-6-stable: Pulling from gitlab-org/security-products/sast
606553c8bef5: Pulling fs layer
606553c8bef5: Verifying Checksum
606553c8bef5: Download complete
606553c8bef5: Pull complete
Digest: sha256:6f7855efad8d8293daa0149abb06fa21697a1b908b6e82de22409cf3f0166faa
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/sast:11-6-stable
2019/01/10 06:47:17 Copy project directory to containers
2019/01/10 06:47:17 [bandit] Detect project using plugin
2019/01/10 06:47:17 [bandit] Project not compatible
2019/01/10 06:47:17 [brakeman] Detect project using plugin
2019/01/10 06:47:17 [brakeman] Project is compatible
2019/01/10 06:47:17 [brakeman] Starting analyzer...
1: Pulling from gitlab-org/security-products/analyzers/brakeman
bc9ab73e5b14: Pulling fs layer
193a6306c92a: Pulling fs layer
e5c3f8c317dc: Pulling fs layer
a587a86c9dcb: Pulling fs layer
72744d0a318b: Pulling fs layer
31d57ef7a684: Pulling fs layer
4eaef54651ae: Pulling fs layer
9ba5073d9663: Pulling fs layer
720eed968ce7: Pulling fs layer
53035c22e68b: Pulling fs layer
a587a86c9dcb: Waiting
72744d0a318b: Waiting
31d57ef7a684: Waiting
4eaef54651ae: Waiting
9ba5073d9663: Waiting
720eed968ce7: Waiting
53035c22e68b: Waiting
e5c3f8c317dc: Verifying Checksum
e5c3f8c317dc: Download complete
193a6306c92a: Verifying Checksum
193a6306c92a: Download complete
bc9ab73e5b14: Verifying Checksum
bc9ab73e5b14: Download complete
31d57ef7a684: Verifying Checksum
31d57ef7a684: Download complete
4eaef54651ae: Verifying Checksum
4eaef54651ae: Download complete
a587a86c9dcb: Verifying Checksum
a587a86c9dcb: Download complete
720eed968ce7: Verifying Checksum
720eed968ce7: Download complete
9ba5073d9663: Verifying Checksum
9ba5073d9663: Download complete
53035c22e68b: Verifying Checksum
53035c22e68b: Download complete
72744d0a318b: Verifying Checksum
72744d0a318b: Download complete
bc9ab73e5b14: Pull complete
193a6306c92a: Pull complete
e5c3f8c317dc: Pull complete
a587a86c9dcb: Pull complete
72744d0a318b: Pull complete
31d57ef7a684: Pull complete
4eaef54651ae: Pull complete
9ba5073d9663: Pull complete
720eed968ce7: Pull complete
53035c22e68b: Pull complete
Digest: sha256:c54a85a20a9201b3cdf98fc4b840bf1ca933881bdfd887ec36f3a7bcd3f31413
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/brakeman:1
Found project in /tmp/app
Loading scanner...
Processing application in /tmp/app
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
 0/8 files processed
 1/8 files processed
 2/8 files processed
 3/8 files processed
 4/8 files processed
 5/8 files processed
 6/8 files processed
 7/8 files processed
Processing libs...
 0/1 files processed
Processing routes...          
Processing templates...       
 0/1 templates processed
Processing data flow in templates...
 0/1 templates processed
Processing models...          
 0/10 files processed
 1/10 files processed
 2/10 files processed
 3/10 files processed
 4/10 files processed
 5/10 files processed
 6/10 files processed
 7/10 files processed
 8/10 files processed
 9/10 files processed
Processing controllers...     
 0/6 files processed
 1/6 files processed
 2/6 files processed
 3/6 files processed
 4/6 files processed
 5/6 files processed
Processing data flow in controllers...
 0/6 controllers processed
 1/6 controllers processed
 2/6 controllers processed
 3/6 controllers processed
 4/6 controllers processed
 5/6 controllers processed
Indexing call sites...        
Running checks in parallel...
 - CheckBasicAuth
 - CheckBasicAuthTimingAttack
 - CheckCrossSiteScripting
 - CheckContentTag
 - CheckCreateWith
 - CheckDefaultRoutes
 - CheckDeserialize
 - CheckDetailedExceptions
 - CheckDigestDoS
 - CheckDynamicFinders
 - CheckEscapeFunction
 - CheckEvaluation
 - CheckExecute
 - CheckFileAccess
 - CheckFileDisclosure
 - CheckFilterSkipping
 - CheckForgerySetting
 - CheckHeaderDoS
 - CheckI18nXSS
 - CheckJRubyXML
 - CheckJSONEncoding
 - CheckJSONParsing
 - CheckLinkTo
 - CheckLinkToHref
 - CheckMailTo
 - CheckMassAssignment
 - CheckMimeTypeDoS
 - CheckModelAttrAccessible
 - CheckModelAttributes
 - CheckModelSerialize
 - CheckNestedAttributes
 - CheckNestedAttributesBypass
 - CheckNumberToCurrency
 - CheckPermitAttributes
 - CheckQuoteTableName
 - CheckRedirect
 - CheckRegexDoS
 - CheckRender
 - CheckRenderDoS
 - CheckRenderInline
 - CheckResponseSplitting
 - CheckRouteDoS
 - CheckSafeBufferManipulation
 - CheckSanitizeMethods
 - CheckSelectTag
 - CheckSelectVulnerability
 - CheckSend
 - CheckSendFile
 - CheckSessionManipulation
 - CheckSessionSettings
 - CheckSimpleFormat
 - CheckSingleQuotes
 - CheckSkipBeforeFilter
 - CheckSQL
 - CheckSQLCVEs
 - CheckSSLVerify
 - CheckStripTags
 - CheckSymbolDoSCVE
 - CheckTranslateBug
 - CheckUnsafeReflection
 - CheckValidationRegex
 - CheckWithoutProtection
 - CheckXMLDoS
 - CheckYAMLParsing
Checks finished, collecting results...
Generating report...
Report saved in '/tmp/brakeman.json'
2019/01/10 06:47:44 [gosec] Detect project using plugin
2019/01/10 06:47:44 [gosec] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs-gradle] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs-gradle] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs-sbt] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs-sbt] Project not compatible
2019/01/10 06:47:44 [find-sec-bugs-groovy] Detect project using plugin
2019/01/10 06:47:44 [find-sec-bugs-groovy] Project not compatible
2019/01/10 06:47:44 [flawfinder] Detect project using plugin
2019/01/10 06:47:44 [flawfinder] Project not compatible
2019/01/10 06:47:44 [phpcs-security-audit] Detect project using plugin
2019/01/10 06:47:44 [phpcs-security-audit] Project not compatible
2019/01/10 06:47:44 [security-code-scan] Detect project using plugin
2019/01/10 06:47:44 [security-code-scan] Project not compatible
2019/01/10 06:47:44 [nodejs-scan] Detect project using plugin
2019/01/10 06:47:44 [nodejs-scan] Project not compatible
+----------------------------------------------------------------------------------------+
| Severity   | Tool       | Location                                                     |
+----------------------------------------------------------------------------------------+
Uploading artifacts...
gl-sast-report.json: found 1 matching files        
Uploading artifacts to coordinator... ok            id=143835025 responseStatus=201 Created token=VFGxNN6x
Job succeeded

And the configuration in my .gitlab-ci.yml file:

sast:
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
      --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
      --volume "$PWD:/code"
      --volume /var/run/docker.sock:/var/run/docker.sock
      "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  artifacts:
    paths: [gl-sast-report.json]