Semgrep-sast WARNINGS: "failed to parse the partuuid of /dev/sda...."

Here’s a partial log of warnings I’m getting when running SAST (semgrep-SAST). It looks like semgrep is looking across all mounted volumes for code to analyze. How can I get rid of the warnings? Do I have to restrict the directories semgrep looks in? This is running online in Gitlab Ultimate Trial.

[//vet import --src /builds/sfgitlab/sampleproj2 --store /builds/sfgitlab/sampleproj2/vetstore --file-ext .go]

46[INFO] [VET] [2023-03-07T15:01:44Z] Vet Import Process Starting…

47[INFO] [VET] [2023-03-07T15:01:44Z]

48Import time 0.009617 seconds

49[INFO] [VET] [2023-03-07T15:01:44Z] VET import complete

50[INFO] [VET] [2023-03-07T15:01:44Z] GitLab VET analyzer v

51WARNING: failed to parse the partuuid of /dev/sda1

52WARNING: failed to parse the partuuid of /dev/sda12

53WARNING: failed to parse the partuuid of /dev/sda3

54WARNING: failed to parse the partuuid of /dev/sda8

Hi @sfgitlab50, thanks for bringing this up! I work in the Static Analysis team at GitLab.

You can safely ignore these warnings as they have no impact on the scan performance or efficacy – the logs are a result of the False positive detection step that executes after the Semgrep scan. The false positive detector queries for the CPU, memory, and block devices of the system it’s running in for debugging purposes. It looks to have run into a permissions issue in this case. This step is non-blocking from the detector’s perspective, so it won’t impact the false positive reduction capability.

I’ll see if we can limit this step to only execute when debug logging is enabled. In the meantime are you able to let me know what kind of GitLab Runner is executing the scan (shell, Docker etc.)?

Please let me know if there’s anything else I can help with!

James