search

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Apache License 2.0
712 stars 63 forks source link

GitLab CI/CD failed #107

Closed krzysztofkorozej closed 1 year ago

krzysztofkorozej commented 1 year ago

Description

Hey team! I saw that you added support for GitLab (beta). I tried to run scan against dummy repo hosted on GitLab, but unfortunately it failed. I created a token with the appropriate role and permissions.

What did you expect to happen?

The scan has run successfully

What happened instead?

The scan immediately failed

Out from gitlab ci/cd runner:

$ chain-bench scan --repository-url $CI_PROJECT_URL --access-token $CHAIN_BENCH_TOKEN -o results.json --template @/templates/gitlab_security_scanner.tpl
2022-10-26 11:31:13 INF 🚩   Fetch Starting
2022-10-26 11:31:14 ERR error in fetching repository data
2022-10-26 11:[31](https://gitlab.com/XYZ/security/dummy-repo/-/jobs/3229947555#L31):14 INF 🛢️  Fetching Repository Settings Finished
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0xbd97a5]
goroutine 1 [running]:
github.com/aquasecurity/chain-bench/internal/scm-clients/clients.FetchClientData({0x7ffd195cb03b, 0x1a}, {0x7ffd195caff6?, 0x1?}, {0x0, 0x0})
    /home/runner/work/chain-bench/chain-bench/internal/scm-clients/clients/clients.go:40 +0x1a5
github.com/aquasecurity/chain-bench/internal/commands.NewScanCommand.func1(0xc000252a00?, {0xe3962a?, 0x8?, 0x8?})
    /home/runner/work/chain-bench/chain-bench/internal/commands/scan.go:22 +0xcc
github.com/spf13/cobra.(*Command).execute(0xc000252a00, {0xc00024e800, 0x8, 0x8})
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0xc000252780)
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:990 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:918
github.com/aquasecurity/chain-bench/internal/commands.Execute({0xf93cc8?, 0xc0000021a0?})
    /home/runner/work/chain-bench/chain-bench/internal/commands/root.go:21 +0x[32](https://gitlab.com/tidio/security/automated-aws-audit/-/jobs/3229947555#L32)
main.main()
    /home/runner/work/chain-bench/chain-bench/cmd/chain-bench/main.go:12 +0x27
Uploading artifacts for failed job
hunter commented 1 year ago

I can confirm a similar error on a dedicated Gitlab instance (although scanning the code it appears that self-hosted instances are not supported)

krzysztofkorozej commented 1 year ago

In my case (GitLab SaaS) it even not started, immediately failed after fetch step

morwn commented 1 year ago

Hi @krzychurra, Thanks for trying this new beta feature, Could you please:

@hunter - currently only Gitlab SAAS supported

Thanks for your feedback

krzysztofkorozej commented 1 year ago

Hi @morwn, Chain-bench version appears to be correct. I think I managed to find what the problem is. Below is how the repositories are arranged in my org:

foo (main group)
    developers
    security (subgroup)
        dummy-repo

So final URL to repository:

https://gitlab.com/foo/security/dummy-repo

When I run scan with -v

2022-10-26 13:15:48 INF 🚩   Fetch Starting
2022-10-26 13:15:49 ERR error in fetching repository data
2022-10-26 13:15:49 DBG error in fetching repository data error="GET https://gitlab.com/api/v4/projects/foo/security: 404 {message: 404 Project Not Found}"
2022-10-26 13:15:49 INF 🛢️  Fetching Repository Settings Finished

I can't manually make a request to this url https://gitlab.com/api/v4/projects/foo/security, instead I need to call GitHub API with following request:

curl "https://gitlab.com/api/v4/projects/{PROJECT_ID}?private_token=XYZ"

where PROJECT_ID is ID for https://gitlab.com/foo/security/dummy-repo

jwillker commented 1 year ago

This is still happening with the latest version(0.1.6):

I'm using GitLab self-hosted (14.4)

2022-11-02 20:05:24 INF 🚩   Fetch Starting
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xbd96b9]

goroutine 1 [running]:
github.com/aquasecurity/chain-bench/internal/scm-clients/clients.FetchClientData({0x7ffc26583f06, 0x14}, {0x7ffc26583eb7?, 0x1?}, {0x0, 0x0})
    /home/runner/work/chain-bench/chain-bench/internal/scm-clients/clients/clients.go:35 +0xb9
github.com/aquasecurity/chain-bench/internal/commands.NewScanCommand.func1(0xc00028ca00?, {0xe3962a?, 0x9?, 0x9?})
    /home/runner/work/chain-bench/chain-bench/internal/commands/scan.go:22 +0xcc
github.com/spf13/cobra.(*Command).execute(0xc00028ca00, {0xc0001a0d80, 0x9, 0x9})
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0xc00028c780)
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:990 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:918
github.com/aquasecurity/chain-bench/internal/commands.Execute({0xf93cc8?, 0xc0000021a0?})
    /home/runner/work/chain-bench/chain-bench/internal/commands/root.go:21 +0x32
main.main()
    /home/runner/work/chain-bench/chain-bench/cmd/chain-bench/main.go:12 +0x27