Add DinD workaround for SAST and DS

dc0ff1af · Russell Dickenson · Nick Gaskill · c4ae00b8 · dc0ff1af · dc0ff1af
Commit dc0ff1af authored Oct 13, 2021 by Russell Dickenson Committed by Nick Gaskill Oct 13, 2021
Showing with 71 additions and 0 deletions

doc/user/application_security/dependency_scanning/index.md doc/user/application_security/dependency_scanning/index.md +19 -0

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +52 -0

No files found.
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -927,3 +927,22 @@ gemnasium-maven-dependency_scanning:
    - for i in `ls cert*`; do keytool -v -importcert -alias "custom-cert-$i" -file $i -trustcacerts -noprompt -storepass changeit -keystore /opt/asdf/installs/java/adoptopenjdk-11.0.7+10.1/lib/security/cacerts 1>/dev/null 2>&1 || true; done # import each certificate using keytool (note the keystore location is related to the Java version being used and should be changed accordingly for other versions)
    - unset ADDITIONAL_CA_CERT_BUNDLE # unset the variable so that the analyzer doesn't duplicate the import
 ```
+
+### Dependency Scanning job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax`
+
+Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is:
+
+- Disabled by default in GitLab 13.0 and later.
+- Unsupported from GitLab 13.4 and later.
+
+To fix this error, disable Docker-in-Docker for dependency scanning. Individual
+`<analyzer-name>-dependency_scanning` jobs are created for each analyzer that runs in your CI/CD
+pipeline.
+
+```yaml
+include:
+  - template: Dependency-Scanning.gitlab-ci.yml
+
+variables:
+  DS_DISABLE_DIND: "true"
+```
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -810,3 +810,55 @@ This occurs when Flawfinder encounters an invalid UTF-8 character. To fix this,
 ### Semgrep slowness, unexpected results, or other errors

 If Semgrep is slow, reports too many false positives or false negatives, crashes, fails, or is otherwise broken, see the Semgrep docs for [troubleshooting GitLab SAST](https://semgrep.dev/docs/troubleshooting/gitlab-sast/).
+
+### SAST job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax`
+
+Invoking Docker-in-Docker is the likely cause of this error. Docker-in-Docker is:
+
+- Disabled by default in GitLab 13.0 and later.
+- Unsupported from GitLab 13.4 and later.
+
+Several workarounds are available. From GitLab version 13.0 and later, you must not use
+Docker-in-Docker.
+
+#### Workaround 1: Pin analyzer versions (GitLab 12.1 and earlier)
+
+Set the following variables for the SAST job. This pins the analyzer versions to the last known
+working version, allowing SAST with Docker-in-Docker to complete as it did previously:
+
+```yaml
+sast:
+  variables:
+    SAST_DEFAULT_ANALYZERS: ""
+    SAST_ANALYZER_IMAGES: "registry.gitlab.com/gitlab-org/security-products/analyzers/bandit:2.9.6, registry.gitlab.com/gitlab-org/security-products/analyzers/brakeman:2.11.0, registry.gitlab.com/gitlab-org/security-products/analyzers/eslint:2.10.0, registry.gitlab.com/gitlab-org/security-products/analyzers/flawfinder:2.11.1, registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2.14.0, registry.gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan:2.11.0, registry.gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit:2.9.1, registry.gitlab.com/gitlab-org/security-products/analyzers/pmd-apex:2.9.0, registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:3.12.0, registry.gitlab.com/gitlab-org/security-products/analyzers/security-code-scan:2.13.0, registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:2.8.0, registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2.13.6, registry.gitlab.com/gitlab-org/security-products/analyzers/tslint:2.4.0"
+```
+
+Remove any analyzers you don't need from the `SAST_ANALYZER_IMAGES` list. Keep
+`SAST_DEFAULT_ANALYZERS` set to an empty string `""`.
+
+#### Workaround 2: Disable Docker-in-Docker for SAST and Dependency Scanning (GitLab 12.3 and later)
+
+Disable Docker-in-Docker for SAST. Individual `<analyzer-name>-sast` jobs are created for each
+analyzer that runs in your CI/CD pipeline.
+
+```yaml
+include:
+  - template: SAST.gitlab-ci.yml
+
+variables:
+  SAST_DISABLE_DIND: "true"
+```
+
+#### Workaround 3: Upgrade to GitLab 13.x and use the defaults
+
+From GitLab 13.0, SAST defaults to not using Docker-in-Docker. In GitLab 13.4 and later, SAST using
+Docker-in-Docker is [no longer supported](https://gitlab.com/gitlab-org/gitlab/-/issues/220540).
+If you have this problem on GitLab 13.x and later, you have customized your SAST job to
+use Docker-in-Docker. To resolve this, comment out any customizations you've made to
+your SAST CI job definition and [follow the documentation](index.md#configuration)
+to reconfigure, using the new and improved job definition default values.
+
+```yaml
+include:
+  - template: Security/SAST.gitlab-ci.yml
+```