search

Checkmarx / ast-cli

A CLI project wrapping application security testing (AST) APIs
Apache License 2.0
37 stars 26 forks source link

Add sufficient support to CLI dockerimage for running the ScaResolver #614

Closed juegge closed 10 months ago

juegge commented 10 months ago

Currently, when trying to run the CLI dockerimage with the ScaResolver the run will fail, because the alpine image that is used for the ast-cli dockerimage is missing libraries that are required to run the ScaResolver. The missing libraries are as follows (output from ldd) ldd ScaResolver /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000) libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000) libdl.so.2 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000) Error loading shared library libgcc_s.so.1: No such file or directory (needed by ScaResolver) libz.so.1 => /lib/libz.so.1 (0x7f8cdb232000) libm.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000) librt.so.1 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000) libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f8cdbd01000)

Since the dockerimage is built to run as non root user these libraries cannot be added e. g. using apk.. E. g. if you try run this example, https://github.com/Checkmarx/ci-cd-integrations/blob/main/CxScaResolver/bitbucket-pipelines.yml it will fail with an error like this: Using SCA resolver: ./ScaResolver [offline -s ./ -n project-name -r /tmp/sca229206833.json --ignore-dev-dependencies true --log-level Debug] 2023/11/08 14:30:17 ScaResolver error: fork/exec ./ScaResolver: no such file or directory If you look carefully you will notice that the github and azure examples use "ubuntu-latest" as the base image, which has the required libraries.

github-actions[bot] commented 10 months ago

Internal Jira issue: AST-32207

juegge commented 10 months ago

The root cause is that the ScaResolver seems to be a glibc based software. However, alpine linux is not glibc based and therefore cannot run the ScaResolver, at least not in an easy & reliable way. However, ast-cli can run on glibc based linux like e. g. debian;buster-slim, which also runs the ScaResolver just fine. An example of a working pipeline can be found here: https://gitlab.com/jurgen-cx/utilities/-/blob/main/CxONE_GitlabCI_Scaresolver.yml

juegge commented 10 months ago

ok, the solution is to use the alpine based SCAresolver: https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-musl64.tar.gz

kaplanlior commented 10 months ago

Add reference Checkmarx/ci-cd-integrations#38