Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Gitlab CI SAST access to gl-sast-report.json artifact in subsequent stage

Tags:

gitlab

I am wanting to use the gl-sast-report.json file created during the SAST process in a subsequent stage of my CI but it is not found.

ci.yml

include:
  - template: Security/SAST.gitlab-ci.yml

stages:
  - test
  - .post
sast:
  rules:
    - if: $CI_COMMIT_TAG

send-reports:
  stage: .post
  dependencies: 
    - sast
  script: 
    - ls
    - echo "in post stage"
    - cat gl-sast-report.json

output:

Running with gitlab-runner 13.2.1 (efa30e33)
on blah blah blah
Preparing the "docker" executor
00:01
.
.
.

Preparing environment
00:01
Running on runner-zqk9bcef-project-4296-concurrent-0 via ff93ba7b6ee2...
Getting source from Git repository
00:01
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in blah blah
Checking out 9c2edf67 as 39-test-dso...
Removing gl-sast-report.json
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:03
$ ls
<stuff in the repo>
$ echo "in .post stage"
in post stage
$ cat gl-sast-report.json
cat: can't open 'gl-sast-report.json': No such file or directory
ERROR: Job failed: exit code 1

You can see the line Removing gl-sast-report.json which I assume is the issue.

I don't see that anywhere in the SAST.gitlab-ci.yml at https://gitlab.com/gitlab-org/gitlab/-/blob/v11.11.0-rc2-ee/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L33-45

Any ideas on how to use this artifact in the next stage of my CI pipeline?

UPDATE:

So I tried out k33g_org's suggestion below but to no avail. Seems that this is due to limitations in the sast template specifically. Did the following test.

include:
  - template: Security/SAST.gitlab-ci.yml

stages:
  - test
  - upload

something:
  stage: test
  script:
      - echo "in something"
      - echo "this is something" > something.txt
  artifacts:
      paths: [something.txt]

sast:
  before_script:
      - echo "hello from before sast"
      - echo "this is in the file" > test.txt
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths: [gl-sast-report.json, test.txt]

send-reports:
  stage: upload
  dependencies:
    - sast
    - something
  before_script:
      - echo "This is the send-reports before_script"
  script:
    - echo "in send-reports job"
    - ls
  artifacts:
      reports:
          sast: gl-sast-report.json

Three changes:

  1. Updated code with k33g_org's suggestion
  2. Created another artifact in the sast job (to see if it would pass through to send-reports job)
  3. Created a new job (something) where I created a new something.txt artifact (to see if it would pass through to send-reports job)

Output:

Preparing environment
00:01
Running on runner-zqx7qoq-project-4296-concurrent-0 via e3fe672984b4...
Getting source from Git repository
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /<repo>
Checking out 26501c44 as <branch_name>...
Removing something.txt
Skipping Git submodules setup
Downloading artifacts
00:00
Downloading artifacts for something (64950)...
Downloading artifacts from coordinator... ok        id=64950 
responseStatus=200 OK token=zoJwysdq
Executing "step_script" stage of the job script
00:01
$ echo "This is the send-reports before_script"
This is the send-reports before_script
$ echo "in send-reports job"
in send-reports job
$ ls
...<other stuff in repo>
something.txt
Uploading artifacts for successful job
00:01
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files    
ERROR: No files to upload                          
Cleaning up file based variables
00:01
Job succeeded

Notes:

  • something.txt made it to this job
  • all artifacts from the sast job to not make it to subsequent jobs

I can only conclude that there is something internal to the sast template that is not allowing artifacts to propagate to subsequent jobs.

like image 391
Archie Archbold Avatar asked Oct 06 '20 19:10

Archie Archbold


2 Answers

in the first job (sast) add this:

  artifacts:
    paths: [gl-sast-report.json]
    reports:
      sast: gl-sast-report.json

and in the next job (send-reports) add this

  artifacts:
    reports:
      sast: gl-sast-report.json

Then you should be able to access the report in the next job (send-reports)

like image 148
k33g_org Avatar answered Sep 23 '22 08:09

k33g_org


Instead of referencing the gl-sast-report.json artifact as sast report, reference it as a regular artifact.

So what you should do is declare the artifact this way

artifacts:
  paths:
    - 'gl-sast-report.json'

instead of

reports:
  sast: gl-sast-report.json
like image 42
Cynthia Baran Avatar answered Sep 25 '22 08:09

Cynthia Baran