search

ZupIT / horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.
https://horusec.io/
Apache License 2.0
1.15k stars 187 forks source link

Error: No such container:path #1086

Open john047 opened 2 years ago

john047 commented 2 years ago

What happened: Error: No such container:path: 211304:/opt/horusec/horusec-report.json

How to reproduce it (as minimally and precisely as possible): my job for release branch:

horusec_sast:
  stage: check-code
  image: docker:19.03.12

  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
  allow_failure: true

  script:
    - docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O horusec-report.json
    - docker cp ${CI_JOB_ID}:/opt/horusec/horusec-report.json ${CI_PROJECT_DIR}/horusec-report.json

    # remove image
    - docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
    - docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true

    # remove stopped containers
    - docker rm -f $(docker ps -a -q --filter 'exited=0') || true

  artifacts:
    paths:
      - horusec-report.json
    expire_in: 1 weeks

Anything else we need to know?: this job works correctly for test branch ($CI_COMMIT_REF_NAME == "test"), but when I merge to release branch I get following error:

$ docker cp ${CI_JOB_ID}:/opt/horusec/horusec-report.json ${CI_PROJECT_DIR}/horusec-report.json
Error: No such container:path: 211304:/opt/horusec/horusec-report.json

Environment:

What am I doing wrong? Help, please!

wiliansilvazup commented 2 years ago

Hello @john047 From what I understand you are trying to acquire the output in json format, for this I recommend using the volumes functionality instead of the docker copy so it would be easier, it would be something like:

horusec_sast:
  stage: check-code
  image: docker:19.03.12

  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
  allow_failure: true

  script:
    - mkdir -p ${CI_PROJECT_DIR}/../horusec-output
    - docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/../horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json

    # you can see your report here
    - cat ${CI_PROJECT_DIR}/../horusec-output/horusec-report.json

    # remove image
    - docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
    - docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true

    # remove stopped containers
    - docker rm -f $(docker ps -a -q --filter 'exited=0') || true

  artifacts:
    paths:
      - horusec-report.json
    expire_in: 1 weeks
john047 commented 2 years ago

Hello @wiliansilvazup

I tried two options for runnig a job. The first one as you suggested:

horusec_sast:
  stage: check-code
  image: docker:19.03.12

  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
  allow_failure: true

  script:
    - mkdir -p ${CI_PROJECT_DIR}/../horusec-output
    - docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/../horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json

    # you can see your report here
    - cat ${CI_PROJECT_DIR}/../horusec-output/horusec-report.json

    # remove image
    - docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
    - docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true

    # remove stopped containers
    - docker rm -f $(docker ps -a -q --filter 'exited=0') || true

  artifacts:
    paths:
      - horusec-report.json
    expire_in: 1 weeks

got following logs:

$ mkdir -p ${CI_PROJECT_DIR}/../horusec-output
$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/../horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
time="2022-06-28T12:38:12Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-28T12:38:12Z" level=warning msg="Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings."
time="2022-06-28T12:38:12Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/opt/horusec/.horusec/708ab691-5690-4d7a-ac76-a7a1ed820fa0]"
time="2022-06-28T12:38:22Z" level=info msg="{HORUSEC_CLI} Writing output JSON to file in the path: /opt/horusec-output/horusec-report.json"
time="2022-06-28T12:38:22Z" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"
time="2022-06-28T12:38:22Z" level=warning msg="YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!"
time="2022-06-28T12:38:22Z" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
$ cat ${CI_PROJECT_DIR}/../horusec-output/horusec-report.json
cat: can't open '/builds/group/subgroup/project/../horusec-output/horusec-report.json': No such file or directory
ERROR: Job failed: exit code 1

What does the construction /../ above mean (in command mkdir -p ${CI_PROJECT_DIR}/../horusec-output)?

The second:

horusec_sast:
  stage: check-code
  image: docker:19.03.12

  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
  allow_failure: true

  script:
    - mkdir -p ${CI_PROJECT_DIR}/horusec-output
    - docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json

    # you can see your report here
    - cat ${CI_PROJECT_DIR}/horusec-output/horusec-report.json

    # remove image
    - docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
    - docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true

    # remove stopped containers
    - docker rm -f $(docker ps -a -q --filter 'exited=0') || true

  artifacts:
    paths:
      - horusec-report.json
    expire_in: 1 weeks

and got logs:

$ mkdir -p ${CI_PROJECT_DIR}/horusec-output
$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
time="2022-06-28T12:41:15Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-28T12:41:15Z" level=warning msg="Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings."
time="2022-06-28T12:41:15Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/opt/horusec/.horusec/c2a2ede7-5c33-45aa-9666-bc6dccf6fb21]"
time="2022-06-28T12:41:38Z" level=info msg="{HORUSEC_CLI} Writing output JSON to file in the path: /opt/horusec-output/horusec-report.json"
time="2022-06-28T12:41:38Z" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"
time="2022-06-28T12:41:38Z" level=warning msg="YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!"
time="2022-06-28T12:41:38Z" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
$ cat ${CI_PROJECT_DIR}/horusec-output/horusec-report.json
cat: can't open '/builds/group/subgroup/project/horusec-output/horusec-report.json': No such file or directory
ERROR: Job failed: exit code 1

Config of gitlab-runner - config.toml: privileged = true, volumes = [“/var/run/docker.sock:/var/run/docker.sock”, “/cache”]. I can also say that it is possible that when the utility is launched through the docker run, the directory with the project is not mounted, since when changing the сonfig of gitlab-runner to volumes = [“/var/run/docker.sock:/var/run/docker.sock”, “/cache”, "/builds:/builds"], the job logs will indicate that vulnerabilities were found, although it is clear above that they are not (YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!). Unfortunately, this setting leads to the inoperability of deploying services and has been removed from the config of gitlab-runner. For the utility to work, do I need to use the services as written in the documentation? https://docs.horusec.io/docs/cli/installation/#gitlab-cicd

john047 commented 2 years ago

As I wrote above, the directory with the project is not mounted:

horusec_sast:
  stage: check-code
  image: docker:19.03.12

  script:
    - ls -la ${CI_PROJECT_DIR}
    - docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest ls -la /opt/horusec

logs:

$ ls -la ${CI_PROJECT_DIR}
total 52
drwxrwxrwx    4 root     root          4096 Jun 28 19:49 .
drwxrwxrwx    4 root     root          4096 Jun 28 19:49 ..
-rw-rw-rw-    1 root     root           127 Jun 28 19:49 .dockerignore
drwxrwxrwx    6 root     root          4096 Jun 28 19:49 .git
-rw-rw-rw-    1 root     root          7495 Jun 28 19:49 .gitignore
-rw-rw-rw-    1 root     root           306 Jun 28 19:49 .gitlab-ci.yml
-rw-rw-rw-    1 root     root           889 Jun 28 19:49 Dockerfile
-rw-rw-rw-    1 root     root          1033 Jun 28 19:49 README.md
-rw-rw-rw-    1 root     root          6237 Jun 28 19:49 Developer.sln
-rw-rw-rw-    1 root     root          2033 Jun 28 19:49 Developer.sln.DotSettings
drwxrwxrwx   10 root     root          4096 Jun 28 19:49 src

$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest ls -la /opt/horusec
total 36
drwxr-xr-x    8 root     root          4096 Jun 28 19:44 .
drwxr-xr-x    1 root     root          4096 Jun 28 19:49 ..
drwxr-xr-x    2 root     root          4096 Jun 28 12:41 horusec-output
-rw-r--r--    1 root     root           408 Jun 28 08:32 horusec-report.json
drwxr-xr-x    2 root     root          4096 Jun 23 06:56 mnt
drwxr-xr-x    2 root     root          4096 Jun 20 21:55 odc-reports
drwxr-xr-x    2 root     root          4096 Jun 23 07:09 shared
drwxr-xr-x    2 root     root          4096 Jun 28 12:23 tmp.BMhcfm
drwxr-xr-x    2 root     root          4096 Jun 28 12:21 tmp.BkJKmf

How to solve this problem?

john047 commented 2 years ago

Please explain how services and socket can work together? After all, there must be one thing, either a service or a socket. https://docs.horusec.io/docs/cli/installation/#gitlab-cicd I still do not have a solution to the problem of mounting a directory with a project!

john047 commented 2 years ago

A lot of time has already been spent on solving the problem of mounting a directory with a project. According to the documentation, I cannot configure the use of the utility! By next job (2nd command in script) I can access repository files:

horusec_sast:
  stage: check-code
  image: docker:19.03.12

  script:
    - export CONTAINER_ID=$(docker ps -q -f "label=com.gitlab.gitlab-runner.job.id=$CI_JOB_ID" -f "label=com.gitlab.gitlab-runner.type=build")
    - docker run -v /var/run/docker.sock:/var/run/docker.sock --volumes-from ${CONTAINER_ID} -w /builds/${CI_PROJECT_PATH} horuszup/horusec-cli:latest ls -la
    - docker run -v /var/run/docker.sock:/var/run/docker.sock --volumes-from ${CONTAINER_ID} -w /builds/${CI_PROJECT_PATH} horuszup/horusec-cli:latest horusec start -p ./ -P ${CI_PROJECT_DIR} -o json -O horusec-report.json

BUT! In 3rd command in the script above I can't do it! I get errors:

time="2022-06-30T08:02:48Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-30T08:02:48Z" level=warning msg="{HORUSEC_CLI} When starting the analysis WE SKIP A TOTAL OF 30 FILES that are not considered to be analyzed. To see more details use flag --log-level=debug"
time="2022-06-30T08:02:48Z" level=warning msg="Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings."
time="2022-06-30T08:02:48Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6]"
⣷ Scanning code ...time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
⣾ Scanning code ...time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=info msg="{HORUSEC_CLI} Writing output JSON to file in the path: /builds/group/subgroup/project/horusec-report.json"
time="2022-06-30T08:02:52Z" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"
time="2022-06-30T08:02:52Z" level=warning msg="YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!"
time="2022-06-30T08:02:52Z" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
==================================================================================
time="2022-06-30T08:02:52Z" level=warning msg="{HORUSEC_CLI} During execution we found some problems:"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool Trivy: trivy config cmd: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool Semgrep: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool SecurityCodeScan: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool DotnetCli: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"

Config of gitlab-runner has privileged = true. I ask for help!

john047 commented 2 years ago

Can someone from here help?

wiliansilvazup commented 2 years ago

@john047 About the problem I tested in a gitlab configuration and it worked fine, however when checking the output of the first attempt horusec could not find any vulnerability so the file will not be created. Try adding a vulnerability and see what the output will look like in this case. For example Create a test yaml file with an exposed password something like:

test:
    envs:
        - PASSWORD: "CHECK IF THIS WILL WORKS"

And check if you will found the report expected. For me works fine :)

john047 commented 2 years ago

@wiliansilvazup, yes your advice works but when I run it manual the tool finds two vulnerabilities:

  1. "details": "Hard-coded password - from yaml file how mentioned above
  2. "details": "Running containers with 'root' user can lead to a container escape situation - from Dockerfile And i got 26 vulnerabilities when i ran the tool via docker run! Why is the scan result different in giltab, manual (from binary file) and docker run?