Skip to content
Snippets Groups Projects

dependency_scanning

Passed Started by
Jose Ivan Vargas Lopez
@jivanvl
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 12.7.1 (003fe500)
2 on docker-auto-scale fa6cab46
3 Using Docker executor with image docker:stable ... 01:43
4Starting service docker:stable-dind ...
5Pulling docker image docker:stable-dind ...
6Using docker image sha256:a33335bfe8302f4d8a7688bc1fa539f2aba787ec724119be53adc4681702a3e7 for docker:stable-dind ...
7Waiting for services to be up and running...
8*** WARNING: Service runner-fa6cab46-project-4422333-concurrent-0-docker-0 probably didn't start properly.
9Health check error:
10service "runner-fa6cab46-project-4422333-concurrent-0-docker-0-wait-for-service" timeout
11Health check container logs:
12Service container logs:
132020-02-18T18:58:13.205391641Z time="2020-02-18T18:58:13.197777406Z" level=info msg="Starting up"
142020-02-18T18:58:13.205445223Z time="2020-02-18T18:58:13.198982077Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
152020-02-18T18:58:13.205450495Z time="2020-02-18T18:58:13.199168576Z" level=warning msg="[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"
162020-02-18T18:58:13.205454009Z time="2020-02-18T18:58:13.200003640Z" level=info msg="libcontainerd: started new containerd process" pid=18
172020-02-18T18:58:13.205457464Z time="2020-02-18T18:58:13.200040470Z" level=info msg="parsed scheme: \"unix\"" module=grpc
182020-02-18T18:58:13.205460973Z time="2020-02-18T18:58:13.200048455Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
192020-02-18T18:58:13.205464388Z time="2020-02-18T18:58:13.200072393Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
202020-02-18T18:58:13.205468444Z time="2020-02-18T18:58:13.200083227Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
212020-02-18T18:58:13.288062491Z time="2020-02-18T18:58:13.255971206Z" level=info msg="starting containerd" revision=35bd7a5f69c13e1563af8a93431411cd9ecf5021 version=v1.2.12
222020-02-18T18:58:13.288087225Z time="2020-02-18T18:58:13.256291782Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." type=io.containerd.content.v1
232020-02-18T18:58:13.288091796Z time="2020-02-18T18:58:13.256364246Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." type=io.containerd.snapshotter.v1
242020-02-18T18:58:13.288095982Z time="2020-02-18T18:58:13.256544403Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.btrfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
252020-02-18T18:58:13.288102064Z time="2020-02-18T18:58:13.256556196Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.aufs"..." type=io.containerd.snapshotter.v1
262020-02-18T18:58:13.288105726Z time="2020-02-18T18:58:13.263467244Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.aufs" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
272020-02-18T18:58:13.288109986Z time="2020-02-18T18:58:13.263487435Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.native"..." type=io.containerd.snapshotter.v1
282020-02-18T18:58:13.288113549Z time="2020-02-18T18:58:13.263584692Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.overlayfs"..." type=io.containerd.snapshotter.v1
292020-02-18T18:58:13.288116825Z time="2020-02-18T18:58:13.263717955Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
302020-02-18T18:58:13.288120154Z time="2020-02-18T18:58:13.263961609Z" level=info msg="skip loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
312020-02-18T18:58:13.288123448Z time="2020-02-18T18:58:13.263971909Z" level=info msg="loading plugin "io.containerd.metadata.v1.bolt"..." type=io.containerd.metadata.v1
322020-02-18T18:58:13.288139143Z time="2020-02-18T18:58:13.264019334Z" level=warning msg="could not use snapshotter btrfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
332020-02-18T18:58:13.288143180Z time="2020-02-18T18:58:13.264026560Z" level=warning msg="could not use snapshotter aufs in metadata plugin" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
342020-02-18T18:58:13.288147201Z time="2020-02-18T18:58:13.264033888Z" level=warning msg="could not use snapshotter zfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin"
352020-02-18T18:58:13.288150823Z time="2020-02-18T18:58:13.271470320Z" level=info msg="loading plugin "io.containerd.differ.v1.walking"..." type=io.containerd.differ.v1
362020-02-18T18:58:13.288154088Z time="2020-02-18T18:58:13.271505178Z" level=info msg="loading plugin "io.containerd.gc.v1.scheduler"..." type=io.containerd.gc.v1
372020-02-18T18:58:13.288157274Z time="2020-02-18T18:58:13.271538312Z" level=info msg="loading plugin "io.containerd.service.v1.containers-service"..." type=io.containerd.service.v1
382020-02-18T18:58:13.288160698Z time="2020-02-18T18:58:13.271550956Z" level=info msg="loading plugin "io.containerd.service.v1.content-service"..." type=io.containerd.service.v1
392020-02-18T18:58:13.288164085Z time="2020-02-18T18:58:13.271569526Z" level=info msg="loading plugin "io.containerd.service.v1.diff-service"..." type=io.containerd.service.v1
402020-02-18T18:58:13.288167388Z time="2020-02-18T18:58:13.271580647Z" level=info msg="loading plugin "io.containerd.service.v1.images-service"..." type=io.containerd.service.v1
412020-02-18T18:58:13.288170648Z time="2020-02-18T18:58:13.271594044Z" level=info msg="loading plugin "io.containerd.service.v1.leases-service"..." type=io.containerd.service.v1
422020-02-18T18:58:13.288173931Z time="2020-02-18T18:58:13.271605093Z" level=info msg="loading plugin "io.containerd.service.v1.namespaces-service"..." type=io.containerd.service.v1
432020-02-18T18:58:13.288177164Z time="2020-02-18T18:58:13.271616213Z" level=info msg="loading plugin "io.containerd.service.v1.snapshots-service"..." type=io.containerd.service.v1
442020-02-18T18:58:13.288180444Z time="2020-02-18T18:58:13.271628889Z" level=info msg="loading plugin "io.containerd.runtime.v1.linux"..." type=io.containerd.runtime.v1
452020-02-18T18:58:13.288184081Z time="2020-02-18T18:58:13.271874505Z" level=info msg="loading plugin "io.containerd.runtime.v2.task"..." type=io.containerd.runtime.v2
462020-02-18T18:58:13.288187435Z time="2020-02-18T18:58:13.271980033Z" level=info msg="loading plugin "io.containerd.monitor.v1.cgroups"..." type=io.containerd.monitor.v1
472020-02-18T18:58:13.288190645Z time="2020-02-18T18:58:13.272305435Z" level=info msg="loading plugin "io.containerd.service.v1.tasks-service"..." type=io.containerd.service.v1
482020-02-18T18:58:13.288193893Z time="2020-02-18T18:58:13.272330816Z" level=info msg="loading plugin "io.containerd.internal.v1.restart"..." type=io.containerd.internal.v1
492020-02-18T18:58:13.288200690Z time="2020-02-18T18:58:13.272371059Z" level=info msg="loading plugin "io.containerd.grpc.v1.containers"..." type=io.containerd.grpc.v1
502020-02-18T18:58:13.288204077Z time="2020-02-18T18:58:13.272385295Z" level=info msg="loading plugin "io.containerd.grpc.v1.content"..." type=io.containerd.grpc.v1
512020-02-18T18:58:13.288207255Z time="2020-02-18T18:58:13.272395602Z" level=info msg="loading plugin "io.containerd.grpc.v1.diff"..." type=io.containerd.grpc.v1
522020-02-18T18:58:13.288210451Z time="2020-02-18T18:58:13.272404889Z" level=info msg="loading plugin "io.containerd.grpc.v1.events"..." type=io.containerd.grpc.v1
532020-02-18T18:58:13.288213669Z time="2020-02-18T18:58:13.272414739Z" level=info msg="loading plugin "io.containerd.grpc.v1.healthcheck"..." type=io.containerd.grpc.v1
542020-02-18T18:58:13.288216900Z time="2020-02-18T18:58:13.272424776Z" level=info msg="loading plugin "io.containerd.grpc.v1.images"..." type=io.containerd.grpc.v1
552020-02-18T18:58:13.288220171Z time="2020-02-18T18:58:13.272434271Z" level=info msg="loading plugin "io.containerd.grpc.v1.leases"..." type=io.containerd.grpc.v1
562020-02-18T18:58:13.288223682Z time="2020-02-18T18:58:13.272443878Z" level=info msg="loading plugin "io.containerd.grpc.v1.namespaces"..." type=io.containerd.grpc.v1
572020-02-18T18:58:13.288226931Z time="2020-02-18T18:58:13.272459313Z" level=info msg="loading plugin "io.containerd.internal.v1.opt"..." type=io.containerd.internal.v1
582020-02-18T18:58:13.288230188Z time="2020-02-18T18:58:13.272702330Z" level=info msg="loading plugin "io.containerd.grpc.v1.snapshots"..." type=io.containerd.grpc.v1
592020-02-18T18:58:13.288233448Z time="2020-02-18T18:58:13.272718686Z" level=info msg="loading plugin "io.containerd.grpc.v1.tasks"..." type=io.containerd.grpc.v1
602020-02-18T18:58:13.288236984Z time="2020-02-18T18:58:13.272730344Z" level=info msg="loading plugin "io.containerd.grpc.v1.version"..." type=io.containerd.grpc.v1
612020-02-18T18:58:13.288241648Z time="2020-02-18T18:58:13.272739520Z" level=info msg="loading plugin "io.containerd.grpc.v1.introspection"..." type=io.containerd.grpc.v1
622020-02-18T18:58:13.288246477Z time="2020-02-18T18:58:13.272993263Z" level=info msg=serving... address="/var/run/docker/containerd/containerd-debug.sock"
632020-02-18T18:58:13.288249818Z time="2020-02-18T18:58:13.273053053Z" level=info msg=serving... address="/var/run/docker/containerd/containerd.sock"
642020-02-18T18:58:13.288252987Z time="2020-02-18T18:58:13.273062230Z" level=info msg="containerd successfully booted in 0.017716s"
652020-02-18T18:58:13.303863249Z time="2020-02-18T18:58:13.297146209Z" level=info msg="Setting the storage driver from the $DOCKER_DRIVER environment variable (overlay2)"
662020-02-18T18:58:13.303880330Z time="2020-02-18T18:58:13.297350364Z" level=info msg="parsed scheme: \"unix\"" module=grpc
672020-02-18T18:58:13.303886576Z time="2020-02-18T18:58:13.297363065Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
682020-02-18T18:58:13.303890422Z time="2020-02-18T18:58:13.297379224Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
692020-02-18T18:58:13.303900601Z time="2020-02-18T18:58:13.297389078Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
702020-02-18T18:58:13.326393886Z time="2020-02-18T18:58:13.326294173Z" level=info msg="parsed scheme: \"unix\"" module=grpc
712020-02-18T18:58:13.326499257Z time="2020-02-18T18:58:13.326454790Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
722020-02-18T18:58:13.326588821Z time="2020-02-18T18:58:13.326532336Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
732020-02-18T18:58:13.327578523Z time="2020-02-18T18:58:13.327470055Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
742020-02-18T18:58:13.374647585Z time="2020-02-18T18:58:13.373032691Z" level=info msg="Loading containers: start."
752020-02-18T18:58:13.406079274Z time="2020-02-18T18:58:13.405951374Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: ip: can't find device 'bridge'\nbridge 167936 1 br_netfilter\nstp 16384 1 bridge\nllc 16384 2 bridge,stp\nip: can't find device 'br_netfilter'\nbr_netfilter 24576 0 \nbridge 167936 1 br_netfilter\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n, error: exit status 1"
762020-02-18T18:58:13.499984025Z time="2020-02-18T18:58:13.498477066Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.18.0.0/16. Daemon option --bip can be used to set a preferred IP address"
772020-02-18T18:58:13.552911252Z time="2020-02-18T18:58:13.552185681Z" level=info msg="Loading containers: done."
782020-02-18T18:58:13.578281633Z time="2020-02-18T18:58:13.577443960Z" level=info msg="Docker daemon" commit=369ce74a3c graphdriver(s)=overlay2 version=19.03.6
792020-02-18T18:58:13.578301407Z time="2020-02-18T18:58:13.577609786Z" level=info msg="Daemon has completed initialization"
802020-02-18T18:58:13.628322342Z time="2020-02-18T18:58:13.627996656Z" level=info msg="API listen on [::]:2375"
812020-02-18T18:58:13.628361586Z time="2020-02-18T18:58:13.628072433Z" level=info msg="API listen on /var/run/docker.sock"
82*********
83Pulling docker image docker:stable ...
84Using docker image sha256:6512892b576811235f68a6dcd5fbe10b387ac0ba3709aeaf80cd5cfcecb387c7 for docker:stable ...
85 Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1582052221-f1921739... 00:02
86 $ eval "$CI_PRE_CLONE_SCRIPT" 00:01
87Fetching changes with git depth set to 50...
88Initialized empty Git repository in /builds/gitlab-org/monitor/monitor-sandbox/.git/
89Created fresh repository.
90From https://staging.gitlab.com/gitlab-org/monitor/monitor-sandbox
91 * [new ref] refs/pipelines/12714911 -> refs/pipelines/12714911
92 * [new branch] master -> origin/master
93Checking out 30121b59 as master...
94Skipping Git submodules setup
95 $ export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} 00:39
96$ if ! docker info &>/dev/null; then # collapsed multi-line command
97$ function propagate_env_vars() { # collapsed multi-line command
98$ docker run \ # collapsed multi-line command
99Unable to find image 'registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-7-stable' locally
10012-7-stable: Pulling from gitlab-org/security-products/dependency-scanning
101ce82f9486b57: Pulling fs layer
102ce82f9486b57: Verifying Checksum
103ce82f9486b57: Download complete
104ce82f9486b57: Pull complete
105Digest: sha256:29914ecaaa6a0387b7d0a679a6f5ee1cbe28211c3279cbdfaef6e1ace4b41516
106Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-7-stable
1072020/02/18 18:58:52 Copy project directory to containers
1082020/02/18 18:58:52 [bundler-audit] Detect project using plugin
1092020/02/18 18:58:52 [bundler-audit] Project not compatible
1102020/02/18 18:58:52 [retire.js] Detect project using plugin
1112020/02/18 18:58:52 [retire.js] Project is compatible
1122020/02/18 18:58:52 [retire.js] Downloading analyzer...
113..........................................................
1142020/02/18 18:59:03 [retire.js] Starting analyzer...
115Found project in /tmp/app
116Using python 3
117Installing dependencies...
118added 159 packages from 617 contributors and audited 303 packages in 6.142s
119found 8 vulnerabilities (1 low, 1 moderate, 6 high)
120 run `npm audit fix` to fix them, or `npm audit` for details
1212020/02/18 18:59:18 [gemnasium] Detect project using plugin
1222020/02/18 18:59:18 [gemnasium] Project is compatible
1232020/02/18 18:59:18 [gemnasium] Downloading analyzer...
124......................
1252020/02/18 18:59:24 [gemnasium] Starting analyzer...
126Found project in /tmp/app
127From https://gitlab.com/gitlab-org/security-products/gemnasium-db
128 * branch master -> FETCH_HEAD
129 c037ca11..92fb57d9 master -> origin/master
130HEAD is now at 92fb57d9 Merge branch 'julian/contribution-guidelines' into 'master'
1312020/02/18 18:59:28 Cannot auto-remediate dependency file, not supported: package-lock.json
1322020/02/18 18:59:29 [gemnasium-maven] Detect project using plugin
1332020/02/18 18:59:29 [gemnasium-maven] Project not compatible
1342020/02/18 18:59:29 [gemnasium-python] Detect project using plugin
1352020/02/18 18:59:29 [gemnasium-python] Project not compatible
136+----------------------------------------------------------------------------------------+
137| Severity | Tool | Identifier |
138+----------------------------------------------------------------------------------------+
139| Medium | Retire.js | |
140| |
141| Code Injection in morgan |
142| In package.json |
143+----------------------------------------------------------------------------------------+
144| Low | Retire.js | |
145| |
146| Prototype pollution attack in lodash |
147| In package.json |
148+----------------------------------------------------------------------------------------+
149| Unknown | Gemnasium | CVE-2019-1010266 |
150| |
151| Uncontrolled Resource Consumption in lodash |
152| Solution: Upgrade to version 4.17.11 or above. |
153| In package-lock.json |
154+----------------------------------------------------------------------------------------+
155| Unknown | Gemnasium | CVE-2019-10744 |
156| |
157| Improper Input Validation in lodash |
158| Solution: Upgrade to version 4.17.12 or above. |
159| In package-lock.json |
160+----------------------------------------------------------------------------------------+
161| Unknown | Gemnasium | CVE-2018-16487 |
162| |
163| Uncontrolled Resource Consumption in lodash |
164| Solution: Upgrade to version 4.17.11 or above. |
165| In package-lock.json |
166+----------------------------------------------------------------------------------------+
167| Unknown | Gemnasium | CVE-2019-5413 |
168| |
169| Command Injection in morgan |
170| Solution: Upgrade to version 1.9.1 or above. |
171| In package-lock.json |
172+----------------------------------------------------------------------------------------+
173 Uploading artifacts... 00:02
174gl-dependency-scanning-report.json: found 1 matching files
175Uploading artifacts to coordinator... ok id=37088670 responseStatus=201 Created token=4Bw5bm1s
176Job succeeded