Skip to content
Snippets Groups Projects

dependency_scanning

Passed Started by
Adrien Kohlbecker
@akohlbecker
This job is archived. Only the complete pipeline can be retried.
1Running with gitlab-runner 12.9.0 (4c96e5ad)
2 on docker-auto-scale fa6cab46
3 Preparing the "docker+machine" executor 01:40
4Using Docker executor with image docker:stable ...
5Starting service docker:stable-dind ...
6Pulling docker image docker:stable-dind ...
7Using docker image sha256:a6e51fd179fb849f4ec6faee318101d32830103f5615215716bd686c56afaea1 for docker:stable-dind ...
8Waiting for services to be up and running...
9*** WARNING: Service runner-fa6cab46-project-4422333-concurrent-0-docker-0 probably didn't start properly.
10Health check error:
11service "runner-fa6cab46-project-4422333-concurrent-0-docker-0-wait-for-service" timeout
12Health check container logs:
13Service container logs:
142020-04-16T12:02:59.119853074Z time="2020-04-16T12:02:59.112883314Z" level=info msg="Starting up"
152020-04-16T12:02:59.119915652Z time="2020-04-16T12:02:59.113980947Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
162020-04-16T12:02:59.119920522Z time="2020-04-16T12:02:59.114156303Z" level=warning msg="[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"
172020-04-16T12:02:59.119924024Z time="2020-04-16T12:02:59.114955569Z" level=info msg="libcontainerd: started new containerd process" pid=19
182020-04-16T12:02:59.119927419Z time="2020-04-16T12:02:59.114987449Z" level=info msg="parsed scheme: \"unix\"" module=grpc
192020-04-16T12:02:59.119930857Z time="2020-04-16T12:02:59.114995572Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
202020-04-16T12:02:59.119934483Z time="2020-04-16T12:02:59.115011827Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
212020-04-16T12:02:59.119938889Z time="2020-04-16T12:02:59.115020416Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
222020-04-16T12:02:59.199930498Z time="2020-04-16T12:02:59.147715751Z" level=info msg="starting containerd" revision=7ad184331fa3e55e52b890ea95e65ba581ae3429 version=v1.2.13
232020-04-16T12:02:59.199963835Z time="2020-04-16T12:02:59.149197117Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." type=io.containerd.content.v1
242020-04-16T12:02:59.199968590Z time="2020-04-16T12:02:59.149275287Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.btrfs"..." type=io.containerd.snapshotter.v1
252020-04-16T12:02:59.199973103Z time="2020-04-16T12:02:59.149473607Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.btrfs" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
262020-04-16T12:02:59.199979325Z time="2020-04-16T12:02:59.149486377Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.aufs"..." type=io.containerd.snapshotter.v1
272020-04-16T12:02:59.199983168Z time="2020-04-16T12:02:59.176322773Z" level=warning msg="failed to load plugin io.containerd.snapshotter.v1.aufs" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
282020-04-16T12:02:59.199987229Z time="2020-04-16T12:02:59.176346326Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.native"..." type=io.containerd.snapshotter.v1
292020-04-16T12:02:59.199990597Z time="2020-04-16T12:02:59.176466420Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.overlayfs"..." type=io.containerd.snapshotter.v1
302020-04-16T12:02:59.199993901Z time="2020-04-16T12:02:59.176599933Z" level=info msg="loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
312020-04-16T12:02:59.199997168Z time="2020-04-16T12:02:59.176859899Z" level=info msg="skip loading plugin "io.containerd.snapshotter.v1.zfs"..." type=io.containerd.snapshotter.v1
322020-04-16T12:02:59.200000491Z time="2020-04-16T12:02:59.176869346Z" level=info msg="loading plugin "io.containerd.metadata.v1.bolt"..." type=io.containerd.metadata.v1
332020-04-16T12:02:59.200013808Z time="2020-04-16T12:02:59.176911890Z" level=warning msg="could not use snapshotter zfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.zfs must be a zfs filesystem to be used with the zfs snapshotter: skip plugin"
342020-04-16T12:02:59.200017878Z time="2020-04-16T12:02:59.176919254Z" level=warning msg="could not use snapshotter btrfs in metadata plugin" error="path /var/lib/docker/containerd/daemon/io.containerd.snapshotter.v1.btrfs must be a btrfs filesystem to be used with the btrfs snapshotter"
352020-04-16T12:02:59.200021451Z time="2020-04-16T12:02:59.176924919Z" level=warning msg="could not use snapshotter aufs in metadata plugin" error="modprobe aufs failed: "ip: can't find device 'aufs'\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n": exit status 1"
362020-04-16T12:02:59.200025274Z time="2020-04-16T12:02:59.184169384Z" level=info msg="loading plugin "io.containerd.differ.v1.walking"..." type=io.containerd.differ.v1
372020-04-16T12:02:59.200028522Z time="2020-04-16T12:02:59.184196608Z" level=info msg="loading plugin "io.containerd.gc.v1.scheduler"..." type=io.containerd.gc.v1
382020-04-16T12:02:59.200031721Z time="2020-04-16T12:02:59.184225846Z" level=info msg="loading plugin "io.containerd.service.v1.containers-service"..." type=io.containerd.service.v1
392020-04-16T12:02:59.200035045Z time="2020-04-16T12:02:59.184238473Z" level=info msg="loading plugin "io.containerd.service.v1.content-service"..." type=io.containerd.service.v1
402020-04-16T12:02:59.200038215Z time="2020-04-16T12:02:59.184248467Z" level=info msg="loading plugin "io.containerd.service.v1.diff-service"..." type=io.containerd.service.v1
412020-04-16T12:02:59.200041474Z time="2020-04-16T12:02:59.184259530Z" level=info msg="loading plugin "io.containerd.service.v1.images-service"..." type=io.containerd.service.v1
422020-04-16T12:02:59.200044663Z time="2020-04-16T12:02:59.184271154Z" level=info msg="loading plugin "io.containerd.service.v1.leases-service"..." type=io.containerd.service.v1
432020-04-16T12:02:59.200047953Z time="2020-04-16T12:02:59.184282695Z" level=info msg="loading plugin "io.containerd.service.v1.namespaces-service"..." type=io.containerd.service.v1
442020-04-16T12:02:59.200051147Z time="2020-04-16T12:02:59.184292978Z" level=info msg="loading plugin "io.containerd.service.v1.snapshots-service"..." type=io.containerd.service.v1
452020-04-16T12:02:59.200054439Z time="2020-04-16T12:02:59.184306561Z" level=info msg="loading plugin "io.containerd.runtime.v1.linux"..." type=io.containerd.runtime.v1
462020-04-16T12:02:59.200057892Z time="2020-04-16T12:02:59.184493335Z" level=info msg="loading plugin "io.containerd.runtime.v2.task"..." type=io.containerd.runtime.v2
472020-04-16T12:02:59.200061135Z time="2020-04-16T12:02:59.184592997Z" level=info msg="loading plugin "io.containerd.monitor.v1.cgroups"..." type=io.containerd.monitor.v1
482020-04-16T12:02:59.200064291Z time="2020-04-16T12:02:59.184929075Z" level=info msg="loading plugin "io.containerd.service.v1.tasks-service"..." type=io.containerd.service.v1
492020-04-16T12:02:59.200067554Z time="2020-04-16T12:02:59.184955531Z" level=info msg="loading plugin "io.containerd.internal.v1.restart"..." type=io.containerd.internal.v1
502020-04-16T12:02:59.200073471Z time="2020-04-16T12:02:59.184989391Z" level=info msg="loading plugin "io.containerd.grpc.v1.containers"..." type=io.containerd.grpc.v1
512020-04-16T12:02:59.200076767Z time="2020-04-16T12:02:59.185003807Z" level=info msg="loading plugin "io.containerd.grpc.v1.content"..." type=io.containerd.grpc.v1
522020-04-16T12:02:59.200079893Z time="2020-04-16T12:02:59.185014278Z" level=info msg="loading plugin "io.containerd.grpc.v1.diff"..." type=io.containerd.grpc.v1
532020-04-16T12:02:59.200083024Z time="2020-04-16T12:02:59.185024273Z" level=info msg="loading plugin "io.containerd.grpc.v1.events"..." type=io.containerd.grpc.v1
542020-04-16T12:02:59.200086160Z time="2020-04-16T12:02:59.185034670Z" level=info msg="loading plugin "io.containerd.grpc.v1.healthcheck"..." type=io.containerd.grpc.v1
552020-04-16T12:02:59.200089396Z time="2020-04-16T12:02:59.185044866Z" level=info msg="loading plugin "io.containerd.grpc.v1.images"..." type=io.containerd.grpc.v1
562020-04-16T12:02:59.200093613Z time="2020-04-16T12:02:59.185054329Z" level=info msg="loading plugin "io.containerd.grpc.v1.leases"..." type=io.containerd.grpc.v1
572020-04-16T12:02:59.200096965Z time="2020-04-16T12:02:59.185063677Z" level=info msg="loading plugin "io.containerd.grpc.v1.namespaces"..." type=io.containerd.grpc.v1
582020-04-16T12:02:59.200100355Z time="2020-04-16T12:02:59.185072849Z" level=info msg="loading plugin "io.containerd.internal.v1.opt"..." type=io.containerd.internal.v1
592020-04-16T12:02:59.200103621Z time="2020-04-16T12:02:59.185305889Z" level=info msg="loading plugin "io.containerd.grpc.v1.snapshots"..." type=io.containerd.grpc.v1
602020-04-16T12:02:59.200106857Z time="2020-04-16T12:02:59.185320901Z" level=info msg="loading plugin "io.containerd.grpc.v1.tasks"..." type=io.containerd.grpc.v1
612020-04-16T12:02:59.200110420Z time="2020-04-16T12:02:59.185330760Z" level=info msg="loading plugin "io.containerd.grpc.v1.version"..." type=io.containerd.grpc.v1
622020-04-16T12:02:59.200113862Z time="2020-04-16T12:02:59.185340193Z" level=info msg="loading plugin "io.containerd.grpc.v1.introspection"..." type=io.containerd.grpc.v1
632020-04-16T12:02:59.200117193Z time="2020-04-16T12:02:59.185551469Z" level=info msg=serving... address="/var/run/docker/containerd/containerd-debug.sock"
642020-04-16T12:02:59.200120471Z time="2020-04-16T12:02:59.185609767Z" level=info msg=serving... address="/var/run/docker/containerd/containerd.sock"
652020-04-16T12:02:59.200123716Z time="2020-04-16T12:02:59.185618901Z" level=info msg="containerd successfully booted in 0.038470s"
662020-04-16T12:02:59.212411249Z time="2020-04-16T12:02:59.211851964Z" level=info msg="Setting the storage driver from the $DOCKER_DRIVER environment variable (overlay2)"
672020-04-16T12:02:59.212431725Z time="2020-04-16T12:02:59.212054526Z" level=info msg="parsed scheme: \"unix\"" module=grpc
682020-04-16T12:02:59.212444326Z time="2020-04-16T12:02:59.212067233Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
692020-04-16T12:02:59.212448292Z time="2020-04-16T12:02:59.212082352Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
702020-04-16T12:02:59.212460790Z time="2020-04-16T12:02:59.212090850Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
712020-04-16T12:02:59.214785568Z time="2020-04-16T12:02:59.214107046Z" level=info msg="parsed scheme: \"unix\"" module=grpc
722020-04-16T12:02:59.214802546Z time="2020-04-16T12:02:59.214123597Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
732020-04-16T12:02:59.214806954Z time="2020-04-16T12:02:59.214139715Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///var/run/docker/containerd/containerd.sock 0 <nil>}] <nil>}" module=grpc
742020-04-16T12:02:59.214810950Z time="2020-04-16T12:02:59.214148559Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
752020-04-16T12:02:59.273034107Z time="2020-04-16T12:02:59.271456112Z" level=info msg="Loading containers: start."
762020-04-16T12:02:59.306912275Z time="2020-04-16T12:02:59.306771204Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: ip: can't find device 'bridge'\nbridge 167936 1 br_netfilter\nstp 16384 1 bridge\nllc 16384 2 bridge,stp\nip: can't find device 'br_netfilter'\nbr_netfilter 24576 0 \nbridge 167936 1 br_netfilter\nmodprobe: can't change directory to '/lib/modules': No such file or directory\n, error: exit status 1"
772020-04-16T12:02:59.407864424Z time="2020-04-16T12:02:59.406414727Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.18.0.0/16. Daemon option --bip can be used to set a preferred IP address"
782020-04-16T12:02:59.458855398Z time="2020-04-16T12:02:59.458650203Z" level=info msg="Loading containers: done."
792020-04-16T12:02:59.481226336Z time="2020-04-16T12:02:59.479832379Z" level=info msg="Docker daemon" commit=afacb8b7f0 graphdriver(s)=overlay2 version=19.03.8
802020-04-16T12:02:59.481248123Z time="2020-04-16T12:02:59.479977617Z" level=info msg="Daemon has completed initialization"
812020-04-16T12:02:59.536434070Z time="2020-04-16T12:02:59.535926558Z" level=info msg="API listen on [::]:2375"
822020-04-16T12:02:59.536456018Z time="2020-04-16T12:02:59.536000928Z" level=info msg="API listen on /var/run/docker.sock"
83*********
84Pulling docker image docker:stable ...
85Using docker image sha256:61b2e482e9de9ca3939dce4c90810c89fa7e7450f774590967c2908cba857ddd for docker:stable ...
86 Preparing environment 00:02
87Running on runner-fa6cab46-project-4422333-concurrent-0 via runner-fa6cab46-stg-srm-1587038510-cb8abff8...
88 Getting source from Git repository 00:02
89$ eval "$CI_PRE_CLONE_SCRIPT"
90Fetching changes with git depth set to 50...
91Initialized empty Git repository in /builds/gitlab-org/monitor/monitor-sandbox/.git/
92Created fresh repository.
93From https://staging.gitlab.com/gitlab-org/monitor/monitor-sandbox
94 * [new ref] refs/pipelines/12750472 -> refs/pipelines/12750472
95 * [new branch] master -> origin/master
96Checking out a666adff as master...
97Skipping Git submodules setup
98 Restoring cache 00:01
99 Downloading artifacts 00:02
100 Running before_script and script 00:37
101$ export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
102$ if ! docker info &>/dev/null; then # collapsed multi-line command
103$ function propagate_env_vars() { # collapsed multi-line command
104$ docker run \ # collapsed multi-line command
105Unable to find image 'registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-10-stable' locally
10612-10-stable: Pulling from gitlab-org/security-products/dependency-scanning
107ce82f9486b57: Pulling fs layer
108ce82f9486b57: Verifying Checksum
109ce82f9486b57: Download complete
110ce82f9486b57: Pull complete
111Digest: sha256:29914ecaaa6a0387b7d0a679a6f5ee1cbe28211c3279cbdfaef6e1ace4b41516
112Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/dependency-scanning:12-10-stable
1132020/04/16 12:03:39 Copy project directory to containers
1142020/04/16 12:03:39 [bundler-audit] Detect project using plugin
1152020/04/16 12:03:39 [bundler-audit] Project not compatible
1162020/04/16 12:03:39 [retire.js] Detect project using plugin
1172020/04/16 12:03:39 [retire.js] Project is compatible
1182020/04/16 12:03:39 [retire.js] Downloading analyzer...
119............................................................
1202020/04/16 12:03:49 [retire.js] Starting analyzer...
121Found project in /tmp/app
122Using python 3
123Installing dependencies...
124added 159 packages from 617 contributors and audited 303 packages in 5.755s
125found 9 vulnerabilities (2 low, 1 moderate, 6 high)
126 run `npm audit fix` to fix them, or `npm audit` for details
1272020/04/16 12:04:03 [gemnasium] Detect project using plugin
1282020/04/16 12:04:03 [gemnasium] Project is compatible
1292020/04/16 12:04:03 [gemnasium] Downloading analyzer...
130......................
1312020/04/16 12:04:09 [gemnasium] Starting analyzer...
132Found project in /tmp/app
133Fetching origin
134From https://gitlab.com/gitlab-org/security-products/gemnasium-db
135 * [new branch] adbcurate/CVE-2020-11001.yml -> origin/adbcurate/CVE-2020-11001.yml
136 * [new branch] adbcurate/CVE-2020-11003.yml -> origin/adbcurate/CVE-2020-11003.yml
137 b0519d85..dbdfebb5 julian-semantic-versioning -> origin/julian-semantic-versioning
138 * [new tag] v1.0.0 -> v1.0.0
139 * [new tag] version_latest -> version_latest
140Already on 'master'
141Your branch is up to date with 'origin/master'.
1422020/04/16 12:04:13 Cannot auto-remediate dependency file, not supported: package-lock.json
1432020/04/16 12:04:13 [gemnasium-maven] Detect project using plugin
1442020/04/16 12:04:13 [gemnasium-maven] Project not compatible
1452020/04/16 12:04:13 [gemnasium-python] Detect project using plugin
1462020/04/16 12:04:13 [gemnasium-python] Project not compatible
147+----------------------------------------------------------------------------------------+
148| Severity | Tool | Identifier |
149+----------------------------------------------------------------------------------------+
150| Critical | Gemnasium | CVE-2019-10744 |
151| |
152| Improper Input Validation in lodash |
153| Solution: Upgrade to version 4.17.12 or above. |
154| In package-lock.json |
155+----------------------------------------------------------------------------------------+
156| Critical | Gemnasium | CVE-2018-16487 |
157| |
158| Uncontrolled Resource Consumption in lodash |
159| Solution: Upgrade to version 4.17.11 or above. |
160| In package-lock.json |
161+----------------------------------------------------------------------------------------+
162| Critical | Gemnasium | CVE-2020-7598 |
163| |
164| Improper Input Validation in minimist |
165| Solution: Upgrade to version 1.2.2 or above. |
166| In package-lock.json |
167+----------------------------------------------------------------------------------------+
168| Critical | Gemnasium | CVE-2019-5413 |
169| |
170| Command Injection in morgan |
171| Solution: Upgrade to version 1.9.1 or above. |
172| In package-lock.json |
173+----------------------------------------------------------------------------------------+
174| High | Gemnasium | CVE-2019-20149 |
175| |
176| Type checking vulnerability in kind-of |
177| Solution: Upgrade to version 6.0.3 or above. |
178| In package-lock.json |
179+----------------------------------------------------------------------------------------+
180| Medium | Gemnasium | CVE-2019-1010266 |
181| |
182| Uncontrolled Resource Consumption in lodash |
183| Solution: Upgrade to version 4.17.11 or above. |
184| In package-lock.json |
185+----------------------------------------------------------------------------------------+
186| Medium | Retire.js | |
187| |
188| Code Injection in morgan |
189| In package.json |
190+----------------------------------------------------------------------------------------+
191| Low | Retire.js | |
192| |
193| Prototype pollution attack in lodash |
194| In package.json |
195+----------------------------------------------------------------------------------------+
196 Running after_script 00:01
197 Saving cache 00:02
198 Uploading artifacts for successful job 00:02
199Uploading artifacts...
200gl-dependency-scanning-report.json: found 1 matching files
201Uploading artifacts to coordinator... ok id=37160321 responseStatus=201 Created token=kkftKdRc
202Job succeeded