GitLab SAST and Java 11¶
If built-in Static Application Security Testing functionality does not support the programming language requirements you have, you can customize the SAST analyzer docker images.
This guide shows you how to use SAST with OpenJDK 11 or later.
What is SAST?¶
Static Application Security Testing (SAST) provides you information if
- your application is vulnerable by using an external library in a specific version which is known to be vulnerable or
- your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.
How get SAST reports generated?¶
According to the GitLab documentation you can take advantage of SAST by either:
- including the CI job below in your existing
.gitlab-ci.ymlfile or by - implicitly using Auto SAST that is provided by Auto DevOps.
As I want to show you how to customize this behaviour, we will focus on the
first approach and add the job to an existing .gitlab-ci.yml file.
Limited language and framework support¶
Having the need to build Gradle based Java 11 projects, I ran into 2 major issues:
Developers were relying on Gradle in a specific version. GitLab’s SAST images ship an older version of gradle within the image and it’s impossible to match the developers required version. Gradle wrapper
./gradlewshould be used instead.GitLab’s SAST images support Java 8 with FindBugs. For Java 11 and later FindBugs is no longer working. The successor of FindBugs is SpotBugs which should be used in future.
Language Version Framework Scan tool Java 8 Maven, Gradle find-sec-bugs
Using a custom analyzer image¶
I’ve forked the GitLab.org / security-products / analyzers / find-sec-bugs-gradle project and started to work on the two issues listed above.
| Language | Version | Framework | Scan tool | Analyzer image |
|---|---|---|---|---|
| Java | 8 | Maven, Gradle | find-sec-bugs | GitLab’s default image |
| 10 | Maven, Gradle Wrapper | spotbugs | registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk10 | |
| 11 | registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk11 | |||
| 12 | registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk12 |
The customized SAST job in detail¶
Below is an example of a Java 11 customized SAST job which uses default GitLab SAST docker image but a different analyzer image.
| Environment variable | Function |
|---|---|
SAST_ANALYZER_IMAGES |
Comma separated list of custom Docker images. Default Docker images are still enabled. In the job below this is used to inject custom Docker images. |
SAST_ANALYZER_IMAGE_PREFIX |
Override the name of the Docker registry providing the default images (proxy). |
SAST_ANALYZER_IMAGE_TAG |
Override the Docker tag of the default images. |
SAST_DEFAULT_ANALYZERS |
Override the names of default Docker images. |
SAST_DEFAULT_ANALYZERS_ENABLED |
DEPRECATED: Disable default images. Removed in SAST 1.9 |
Read more about [customizing analyzers](./docs/analyzers.md#custom-analyzers).
More configurable settings are listed in the GitLab SAST docker image README file in the repository.
# ...
sast:
image: docker:stable
stage: verify
variables:
DOCKER_DRIVER: overlay2
services:
- docker:stable-dind
before_script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
script:
- docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--env SAST_DEFAULT_ANALYZERS=""
--env SAST_ANALYZER_IMAGES="registry.gitlab.com/widerin/find-sec-bugs-gradle:jdk11"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
# ...