Skip to content
Snippets Groups Projects

dependency_scanning

Passed Started by
Andrei Stoicescu
@astoicescu
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 12.9.0-rc1 (a350f628)
2 on docker-auto-scale fa6cab46
3 Preparing the "docker+machine" executor 01:45
4Using Docker executor with image docker:stable ...
5Starting service docker:stable-dind ...
6Pulling docker image docker:stable-dind ...
7Using docker image sha256:fe98abf5dda7ec569bc4821f20ceca66945e67882fe32f960fb8b8f179af0e42 for docker:stable-dind ...
8Waiting for services to be up and running...
9*** WARNING: Service runner-fa6cab46-project-4422333-concurrent-0-docker-0 probably didn't start properly.
10Health check error:
11service "runner-fa6cab46-project-4422333-concurrent-0-docker-0-wait-for-service" timeout
12Health check container logs:
13Service container logs:
142020-03-20T10:26:45.129162909Z time="2020-03-20T10:26:45.100470992Z" level=info msg="Starting up"
152020-03-20T10:26:45.129228110Z time="2020-03-20T10:26:45.101630208Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
162020-03-20T10:26:45.129233492Z time="2020-03-20T10:26:45.101808369Z" level=warning msg="[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"
172020-03-20T10:26:45.129237528Z time="2020-03-20T10:26:45.102670148Z" level=info msg="libcontainerd: started new containerd process" pid=18
182020-03-20T10:26:45.129241151Z time="2020-03-20T10:26:45.102705887Z" level=info msg="parsed scheme: \"unix\"" module=grpc
192020-03-20T10:26:45.129245025Z time="2020-03-20T10:26:45.102713612Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
202020-03-20T10:26:45.129248772Z time="2020-03-20T10:26:45.102736311Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
212020-03-20T10:26:45.129253211Z time="2020-03-20T10:26:45.102747185Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
222020-03-20T10:26:45.148092209Z time="2020-03-20T10:26:45.139536834Z" level=info msg="starting containerd" revision=7ad184331fa3e55e52b890ea95e65ba581ae3429 version=v1.2.13
232020-03-20T10:26:45.148125759Z time="2020-03-20T10:26:45.139863658Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." type=io.containerd.content.v1
242020-03-20T10:26:45.148130785Z time="2020-03-20T10:26:45.139939945Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." type=io.containerd.snapshotter.v1
252020-03-20T10:26:45.148136476Z time="2020-03-20T10:26:45.140289820Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.btrfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
262020-03-20T10:26:45.148145377Z time="2020-03-20T10:26:45.140306888Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.aufs"..." type=io.containerd.snapshotter.v1
272020-03-20T10:26:45.158291504Z time="2020-03-20T10:26:45.156701095Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.aufs" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
282020-03-20T10:26:45.199070483Z time="2020-03-20T10:26:45.156726401Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.native"..." type=io.containerd.snapshotter.v1
292020-03-20T10:26:45.200082946Z time="2020-03-20T10:26:45.156844571Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.overlayfs"..." type=io.containerd.snapshotter.v1
302020-03-20T10:26:45.200097560Z time="2020-03-20T10:26:45.157016721Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
312020-03-20T10:26:45.200102099Z time="2020-03-20T10:26:45.157246411Z" level=info msg="skip loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
322020-03-20T10:26:45.200105927Z time="2020-03-20T10:26:45.157254777Z" level=info msg="loading plugin "io.containerd.metadata.v1.bolt"..." type=io.containerd.metadata.v1
332020-03-20T10:26:45.200118591Z time="2020-03-20T10:26:45.157292582Z" level=warning msg="could not use snapshotter btrfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
342020-03-20T10:26:45.200130997Z time="2020-03-20T10:26:45.157299744Z" level=warning msg="could not use snapshotter aufs in metadata plugin" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
352020-03-20T10:26:45.200135656Z time="2020-03-20T10:26:45.157306547Z" level=warning msg="could not use snapshotter zfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin"
362020-03-20T10:26:45.208052560Z time="2020-03-20T10:26:45.203801160Z" level=info msg="loading plugin "io.containerd.differ.v1.walking"..." type=io.containerd.differ.v1
372020-03-20T10:26:45.208073371Z time="2020-03-20T10:26:45.203836155Z" level=info msg="loading plugin "io.containerd.gc.v1.scheduler"..." type=io.containerd.gc.v1
382020-03-20T10:26:45.208078016Z time="2020-03-20T10:26:45.203875918Z" level=info msg="loading plugin "io.containerd.service.v1.containers-service"..." type=io.containerd.service.v1
392020-03-20T10:26:45.208082081Z time="2020-03-20T10:26:45.203888372Z" level=info msg="loading plugin "io.containerd.service.v1.content-service"..." type=io.containerd.service.v1
402020-03-20T10:26:45.208085969Z time="2020-03-20T10:26:45.203898901Z" level=info msg="loading plugin "io.containerd.service.v1.diff-service"..." type=io.containerd.service.v1
412020-03-20T10:26:45.208090115Z time="2020-03-20T10:26:45.203910638Z" level=info msg="loading plugin "io.containerd.service.v1.images-service"..." type=io.containerd.service.v1
422020-03-20T10:26:45.208093814Z time="2020-03-20T10:26:45.203932571Z" level=info msg="loading plugin "io.containerd.service.v1.leases-service"..." type=io.containerd.service.v1
432020-03-20T10:26:45.208097437Z time="2020-03-20T10:26:45.203943676Z" level=info msg="loading plugin "io.containerd.service.v1.namespaces-service"..." type=io.containerd.service.v1
442020-03-20T10:26:45.208100988Z time="2020-03-20T10:26:45.203969862Z" level=info msg="loading plugin "io.containerd.service.v1.snapshots-service"..." type=io.containerd.service.v1
452020-03-20T10:26:45.208104539Z time="2020-03-20T10:26:45.203982225Z" level=info msg="loading plugin "io.containerd.runtime.v1.linux"..." type=io.containerd.runtime.v1
462020-03-20T10:26:45.208108079Z time="2020-03-20T10:26:45.204239213Z" level=info msg="loading plugin "io.containerd.runtime.v2.task"..." type=io.containerd.runtime.v2
472020-03-20T10:26:45.208111610Z time="2020-03-20T10:26:45.204414105Z" level=info msg="loading plugin "io.containerd.monitor.v1.cgroups"..." type=io.containerd.monitor.v1
482020-03-20T10:26:45.208115465Z time="2020-03-20T10:26:45.204796375Z" level=info msg="loading plugin "io.containerd.service.v1.tasks-service"..." type=io.containerd.service.v1
492020-03-20T10:26:45.208119078Z time="2020-03-20T10:26:45.204823758Z" level=info msg="loading plugin "io.containerd.internal.v1.restart"..." type=io.containerd.internal.v1
502020-03-20T10:26:45.208134103Z time="2020-03-20T10:26:45.204880101Z" level=info msg="loading plugin "io.containerd.grpc.v1.containers"..." type=io.containerd.grpc.v1
512020-03-20T10:26:45.208138007Z time="2020-03-20T10:26:45.204892562Z" level=info msg="loading plugin "io.containerd.grpc.v1.content"..." type=io.containerd.grpc.v1
522020-03-20T10:26:45.208141516Z time="2020-03-20T10:26:45.204902804Z" level=info msg="loading plugin "io.containerd.grpc.v1.diff"..." type=io.containerd.grpc.v1
532020-03-20T10:26:45.208144986Z time="2020-03-20T10:26:45.204912165Z" level=info msg="loading plugin "io.containerd.grpc.v1.events"..." type=io.containerd.grpc.v1
542020-03-20T10:26:45.208148497Z time="2020-03-20T10:26:45.204932642Z" level=info msg="loading plugin "io.containerd.grpc.v1.healthcheck"..." type=io.containerd.grpc.v1
552020-03-20T10:26:45.208152060Z time="2020-03-20T10:26:45.204943029Z" level=info msg="loading plugin "io.containerd.grpc.v1.images"..." type=io.containerd.grpc.v1
562020-03-20T10:26:45.208155598Z time="2020-03-20T10:26:45.204973119Z" level=info msg="loading plugin "io.containerd.grpc.v1.leases"..." type=io.containerd.grpc.v1
572020-03-20T10:26:45.208159323Z time="2020-03-20T10:26:45.204983927Z" level=info msg="loading plugin "io.containerd.grpc.v1.namespaces"..." type=io.containerd.grpc.v1
582020-03-20T10:26:45.208162867Z time="2020-03-20T10:26:45.204993257Z" level=info msg="loading plugin "io.containerd.internal.v1.opt"..." type=io.containerd.internal.v1
592020-03-20T10:26:45.208166440Z time="2020-03-20T10:26:45.205301050Z" level=info msg="loading plugin "io.containerd.grpc.v1.snapshots"..." type=io.containerd.grpc.v1
602020-03-20T10:26:45.208171142Z time="2020-03-20T10:26:45.205317122Z" level=info msg="loading plugin "io.containerd.grpc.v1.tasks"..." type=io.containerd.grpc.v1
612020-03-20T10:26:45.208174628Z time="2020-03-20T10:26:45.205327835Z" level=info msg="loading plugin "io.containerd.grpc.v1.version"..." type=io.containerd.grpc.v1
622020-03-20T10:26:45.208178165Z time="2020-03-20T10:26:45.205339815Z" level=info msg="loading plugin "io.containerd.grpc.v1.introspection"..." type=io.containerd.grpc.v1
632020-03-20T10:26:45.208181729Z time="2020-03-20T10:26:45.205573035Z" level=info msg=serving... address="/var/run/docker/containerd/containerd-debug.sock"
642020-03-20T10:26:45.208185285Z time="2020-03-20T10:26:45.205654246Z" level=info msg=serving... address="/var/run/docker/containerd/containerd.sock"
652020-03-20T10:26:45.208188724Z time="2020-03-20T10:26:45.205664137Z" level=info msg="containerd successfully booted in 0.066738s"
662020-03-20T10:26:45.216653709Z time="2020-03-20T10:26:45.216283951Z" level=info msg="Setting the storage driver from the $DOCKER_DRIVER environment variable (overlay2)"
672020-03-20T10:26:45.216717112Z time="2020-03-20T10:26:45.216591456Z" level=info msg="parsed scheme: \"unix\"" module=grpc
682020-03-20T10:26:45.216801137Z time="2020-03-20T10:26:45.216740199Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
692020-03-20T10:26:45.216992280Z time="2020-03-20T10:26:45.216917095Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
702020-03-20T10:26:45.217128407Z time="2020-03-20T10:26:45.217028008Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
712020-03-20T10:26:45.241205285Z time="2020-03-20T10:26:45.237741236Z" level=info msg="parsed scheme: \"unix\"" module=grpc
722020-03-20T10:26:45.242467318Z time="2020-03-20T10:26:45.237857854Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
732020-03-20T10:26:45.242495322Z time="2020-03-20T10:26:45.237877277Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
742020-03-20T10:26:45.242500482Z time="2020-03-20T10:26:45.237887348Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
752020-03-20T10:26:45.285846848Z time="2020-03-20T10:26:45.285718467Z" level=info msg="Loading containers: start."
762020-03-20T10:26:45.325070877Z time="2020-03-20T10:26:45.324101949Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: ip: can't find device 'bridge'\nbridge 167936 1 br_netfilter\nstp 16384 1 bridge\nllc 16384 2 bridge,stp\nip: can't find device 'br_netfilter'\nbr_netfilter 24576 0 \nbridge 167936 1 br_netfilter\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n, error: exit status 1"
772020-03-20T10:26:45.423079306Z time="2020-03-20T10:26:45.421280831Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.18.0.0/16. Daemon option --bip can be used to set a preferred IP address"
782020-03-20T10:26:45.472078310Z time="2020-03-20T10:26:45.471908219Z" level=info msg="Loading containers: done."
792020-03-20T10:26:45.490714774Z time="2020-03-20T10:26:45.490327646Z" level=info msg="Docker daemon" commit=afacb8b7f0 graphdriver(s)=overlay2 version=19.03.8
802020-03-20T10:26:45.490734009Z time="2020-03-20T10:26:45.490479627Z" level=info msg="Daemon has completed initialization"
812020-03-20T10:26:45.559061797Z time="2020-03-20T10:26:45.558836687Z" level=info msg="API listen on [::]:2375"
822020-03-20T10:26:45.561044586Z time="2020-03-20T10:26:45.560114695Z" level=info msg="API listen on /var/run/docker.sock"
83*********
84Pulling docker image docker:stable ...
85Using docker image sha256:f39826ae385e029ae634eb6a81091da60dae2e6ee2a19342c2e05ed4c3cb9171 for docker:stable ...
86 Preparing environment 00:02
87Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1584699931-b578048b...
88 Getting source from Git repository 00:01
89$ eval "$CI_PRE_CLONE_SCRIPT"
90Fetching changes with git depth set to 50...
91Initialized empty Git repository in /builds/gitlab-org/monitor/monitor-sandbox/.git/
92Created fresh repository.
93From https://staging.gitlab.com/gitlab-org/monitor/monitor-sandbox
94 * [new ref] refs/pipelines/12726621 -> refs/pipelines/12726621
95 * [new branch] master -> origin/master
96Checking out 6bdc77e3 as master...
97Skipping Git submodules setup
98 Restoring cache 00:02
99 Downloading artifacts 00:01
100 Running script from Job 00:39
101$ export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
102$ if ! docker info &>/dev/null; then # collapsed multi-line command
103$ function propagate_env_vars() { # collapsed multi-line command
104$ docker run \ # collapsed multi-line command
105Unable to find image 'registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-9-stable' locally
10612-9-stable: Pulling from gitlab-org/security-products/dependency-scanning
107ce82f9486b57: Pulling fs layer
108ce82f9486b57: Verifying Checksum
109ce82f9486b57: Download complete
110ce82f9486b57: Pull complete
111Digest: sha256:29914ecaaa6a0387b7d0a679a6f5ee1cbe28211c3279cbdfaef6e1ace4b41516
112Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-9-stable
1132020/03/20 10:27:24 Copy project directory to containers
1142020/03/20 10:27:24 [bundler-audit] Detect project using plugin
1152020/03/20 10:27:24 [bundler-audit] Project not compatible
1162020/03/20 10:27:24 [retire.js] Detect project using plugin
1172020/03/20 10:27:24 [retire.js] Project is compatible
1182020/03/20 10:27:24 [retire.js] Downloading analyzer...
119............................................................
1202020/03/20 10:27:34 [retire.js] Starting analyzer...
121Found project in /tmp/app
122Using python 3
123Installing dependencies...
124added 159 packages from 617 contributors and audited 303 packages in 6.048s
125found 9 vulnerabilities (2 low, 1 moderate, 6 high)
126 run `npm audit fix` to fix them, or `npm audit` for details
1272020/03/20 10:27:49 [gemnasium] Detect project using plugin
1282020/03/20 10:27:49 [gemnasium] Project is compatible
1292020/03/20 10:27:49 [gemnasium] Downloading analyzer...
130.......................
1312020/03/20 10:27:55 [gemnasium] Starting analyzer...
132Found project in /tmp/app
133From https://gitlab.com/gitlab-org/security-products/gemnasium-db
134 * branch master -> FETCH_HEAD
135 1a032bd9..3593530c master -> origin/master
136HEAD is now at 3593530c Merge branch 'adbcurate/CVE-2019-19210.yml' into 'master'
1372020/03/20 10:27:59 Cannot auto-remediate dependency file, not supported: package-lock.json
1382020/03/20 10:28:00 [gemnasium-maven] Detect project using plugin
1392020/03/20 10:28:00 [gemnasium-maven] Project not compatible
1402020/03/20 10:28:00 [gemnasium-python] Detect project using plugin
1412020/03/20 10:28:00 [gemnasium-python] Project not compatible
142+----------------------------------------------------------------------------------------+
143| Severity | Tool | Identifier |
144+----------------------------------------------------------------------------------------+
145| Medium | Retire.js | |
146| |
147| Code Injection in morgan |
148| In package.json |
149+----------------------------------------------------------------------------------------+
150| Low | Retire.js | |
151| |
152| Prototype pollution attack in lodash |
153| In package.json |
154+----------------------------------------------------------------------------------------+
155| Unknown | Gemnasium | CVE-2019-1010266 |
156| |
157| Uncontrolled Resource Consumption in lodash |
158| Solution: Upgrade to version 4.17.11 or above. |
159| In package-lock.json |
160+----------------------------------------------------------------------------------------+
161| Unknown | Gemnasium | CVE-2019-10744 |
162| |
163| Improper Input Validation in lodash |
164| Solution: Upgrade to version 4.17.12 or above. |
165| In package-lock.json |
166+----------------------------------------------------------------------------------------+
167| Unknown | Gemnasium | CVE-2018-16487 |
168| |
169| Uncontrolled Resource Consumption in lodash |
170| Solution: Upgrade to version 4.17.11 or above. |
171| In package-lock.json |
172+----------------------------------------------------------------------------------------+
173| Unknown | Gemnasium | CVE-2020-7598 |
174| |
175| Improper Input Validation in minimist |
176| Solution: Upgrade to version 1.2.2 or above. |
177| In package-lock.json |
178+----------------------------------------------------------------------------------------+
179| Unknown | Gemnasium | CVE-2019-5413 |
180| |
181| Command Injection in morgan |
182| Solution: Upgrade to version 1.9.1 or above. |
183| In package-lock.json |
184+----------------------------------------------------------------------------------------+
185 Running after script 00:01
186 Saving cache 00:02
187 Uploading artifacts for successful job 00:02
188Uploading artifacts...
189gl-dependency-scanning-report.json: found 1 matching files
190Uploading artifacts to coordinator... ok id=37117868 responseStatus=201 Created token=fV7Z3Guq
191Job succeeded