search

hawkeyesec / scanner-cli

A project security/vulnerability/risk scanning tool
Other
358 stars 89 forks source link

SSH missing from latest image #157

Closed stasguy closed 4 years ago

stasguy commented 4 years ago

Issue Template

Description

When using the newest image in circle ci, the following error is displayed when trying to checkout code: Either git or ssh (required by git to clone through SSH) is not installed in the image. Falling back to CircleCI's native git client but the behavior may be different from official git. If this is an issue, please use an image that has official git and ssh installed. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

I'm not sure why, but with certain builds circle ci is able to proceed anyways: Either git or ssh (required by git to clone through SSH) is not installed in the image. Falling back to CircleCI's native git client but the behavior may be different from official git. If this is an issue, please use an image that has official git and ssh installed.

Steps to Reproduce

Run circle ci configuration with hawkeyesec build step, i.e.: `hawkeyesec: docker:

Expected behavior: repository is checked out and scanned

Actual behavior: repository is not checked out

Version

latest

felixhammerl commented 4 years ago

could you tell me which module(s) you're trying to run? i am trying to understand what tries to reach out via ssh to better triage the issue.

stasguy commented 4 years ago

I think this is what circleci runs in the checkout step and thank you for your prompt response!

#!/bin/sh set -e


# check https://github.com/docker/docker/issues/2968 for details
if [ "${HOME}" = "/" ]
then
  export HOME=$(getent passwd $(id -un) | cut -d: -f6)
fi

mkdir -p ~/.ssh

echo 'github.com ssh-rsa *****************
bitbucket.org ssh-rsa **********
' >> ~/.ssh/known_hosts

(umask 077; touch ~/.ssh/id_rsa)
chmod 0600 ~/.ssh/id_rsa
(cat <<EOF > ~/.ssh/id_rsa
$CHECKOUT_KEY
EOF
)

# use git+ssh instead of https
git config --global url."ssh://git@bitbucket.org".insteadOf "https://bitbucket.org" || true
git config --global gc.auto 0 || true

if [ -e /home/circleci/project/.git ]
then
  cd /home/circleci/project
  git remote set-url origin "$CIRCLE_REPOSITORY_URL" || true
else
  mkdir -p /home/circleci/project
  cd /home/circleci/project
  git clone "$CIRCLE_REPOSITORY_URL" .
fi

if [ -n "$CIRCLE_TAG" ]
then
  git fetch --force origin "refs/tags/${CIRCLE_TAG}"
else
  git fetch --force origin "demo:remotes/origin/demo"
fi

if [ -n "$CIRCLE_TAG" ]
then
  git reset --hard "$CIRCLE_SHA1"
  git checkout -q "$CIRCLE_TAG"
elif [ -n "$CIRCLE_BRANCH" ]
then
  git reset --hard "$CIRCLE_SHA1"
  git checkout -q -B "$CIRCLE_BRANCH"
fi

git reset --hard "$CIRCLE_SHA1"
Cloning into '.'...
Warning: Permanently added the RSA host key for IP address '*.*.*.*' to the list of known hosts.

remote: Counting objects: *, done.        
remote: Compressing objects: 100% (*/*), done.        
Receiving objects: 100% (*/*), *.* MiB | 14.93 MiB/s, done.
remote: Total * (delta *), reused * (delta *)        
Resolving deltas: 100% (*/*), done.
Warning: Permanently added the RSA host key for IP address '*.*.*.*' to the list of known hosts.

HEAD is now at * Merged in master (pull request #*)
HEAD is now at * Merged in master (pull request #*)`
felixhammerl commented 4 years ago

I still don't get it. Are you using hawkeye as your CI agent? It seems like you are running stuff inside the image, using the image's tooling. That is not what it was built for. The way the scanner is intended to be used is to scan a project on a host, where you mount the project into the docker container and run the container's script. The container itself is a throwaway. The scanner was never intended to be the host. The reduction in image size happened because we threw out all the unnecessary GNU tools that make up a centos and installed the bare minimum...

but then again, i probably don't understand the basics of what is going on here ;)

bekh6ex commented 4 years ago

@stasguy You can try to define two images for CircleCI: first base image built for CircleCI (like CentOS) and Hawkeye as the second one. I guess this should work. As far as I know, this is the way to go when one wants to use Docker image that wasn't built for CircleCI.

bekh6ex commented 4 years ago

Can you try this setup?

hawkeyesec:
      - image: cimg/base:2020.02
      - image: hawkeyesec/scanner-cli:latest
# ... the rest

The first image will probably be always cached, so it won't add much to the execution time if you worry about this.

bekh6ex commented 4 years ago

Closing the issue as soon as it is not the use-case Docker image was built for.