GitLab SAST and Java 11

If built-in Static Application Security Testing functionality does not support the programming language requirements you have, you can customize the SAST analyzer docker images.

This guide shows you how to use SAST with OpenJDK 11 or later.

What is SAST?

Static Application Security Testing (SAST) provides you information if

  • your application is vulnerable by using an external library in a specific version which is known to be vulnerable or
  • your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.
https://docs.gitlab.com/ee/user/project/merge_requests/img/security_report.png

How get SAST reports generated?

According to the GitLab documentation you can take advantage of SAST by either:

  1. including the CI job below in your existing .gitlab-ci.yml file or by
  2. implicitly using Auto SAST that is provided by Auto DevOps.

As I want to show you how to customize this behaviour, we will focus on the first approach and add the job to an existing .gitlab-ci.yml file.

Limited language and framework support

Having the need to build Gradle based Java 11 projects, I ran into 2 major issues:

  1. Developers were relying on Gradle in a specific version. GitLab’s SAST images ship an older version of gradle within the image and it’s impossible to match the developers required version. Gradle wrapper ./gradlew should be used instead.

  2. GitLab’s SAST images support Java 8 with FindBugs. For Java 11 and later FindBugs is no longer working. The successor of FindBugs is SpotBugs which should be used in future.

    Language Version Framework Scan tool
    Java 8 Maven, Gradle find-sec-bugs

Using a custom analyzer image

I’ve forked the GitLab.org / security-products / analyzers / find-sec-bugs-gradle project and started to work on the two issues listed above.

Language Version Framework Scan tool Analyzer image
Java 8 Maven, Gradle find-sec-bugs GitLab’s default image
10 Maven, Gradle Wrapper spotbugs registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk10
11 registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk11
12 registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk12

The customized SAST job in detail

Below is an example of a Java 11 customized SAST job which uses the default GitLab SAST image, but a different SAST_ANALYZER_IMAGES and no default analyzers (see: SAST_DEFAULT_ANALYZERS_ENABLED="false").

# ...

sast:
  image: docker:stable
  stage: verify
  variables:
    DOCKER_DRIVER: overlay2
  services:
    - docker:stable-dind
  before_script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
  script:
    - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
                 --env SAST_DEFAULT_ANALYZERS=""
                 --env SAST_ANALYZER_IMAGES="registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk11"
                 --volume "$PWD:/code"
                 --volume /var/run/docker.sock:/var/run/docker.sock
                 "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
  artifacts:
    reports:
      sast: gl-sast-report.json

# ...

Comments

comments powered by Disqus