判断这是否类似于this thread,并显示关于gl-sast-report.json
未被发现为构件的警告:它类似于您在管道中收到的警告.
gl-sast-report.json
文件预计将由SAST作业(job)生成,并且应该声明为作业(job)要捕获的构件.
- 线程中的用户try 不同的配置以正确地将此文件捕获为构件.
- 一项建议是确保SAST模板的
include
条语句正确地放置在.gitlab-ci.yml
文件中.
- 讨论的另一个问题是SAST作业(job)是否真的在创建
gl-sast-report.json
文件.
So make sure your .gitlab-ci.yml
is correctly configured to generate and capture gl-sast-report.json
.
The relevant portion (with artifacts:reports:sast
) should be:
sast:
stage: test
artifacts:
reports:
sast: gl-sast-report.json
paths:
- 'gl-sast-report.json'
在作业(job)中启用CI_DEBUG_TRACE
作为变量,以获取更详细的日志(log).并确认SAST作业(job)是否确实在生成gl-sast-report.json
文件.如果没有创建文件,问题可能出在SAST scanner 的操作上,而不是CI/CD配置上.
这里有两个问题.一个是未上载的构件,Nodejcan抛出警告消息([WARN] [NodeJsScan] No match in /builds/test/frontend/test-frontend
)
No code scanning happened in the Nodejscan
job. Since no code can has been performed, the gl-sast-report.json
not created.
How to make sure the Nodejscan
job to scan the project?
确保您的JavaScript或TypeScrip文件位于目录/builds/test/frontend/test-frontend
中.NodeJsScan需要找到它应该扫描的文件.如果您的文件位于不同的目录中,则需要调整CI/CD配置中的路径.
判断您的.gitlab-ci.yml
文件,确保为NodeJsScan正确设置了该文件.NodeJsScan作业(job)应配置为指向您的JavaScript/tyescript文件所在的目录.例如:
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_DEFAULT_ANALYZERS: "nodejs-scan"
nodejs-scan:
script:
- /analyzer run
artifacts:
reports:
sast: gl-sast-report.json
paths:
- gl-sast-report.json
NodeJsScan typically expects a package.json
file in the scanned directory. Make sure this file is present and correctly set up.
Try running NodeJsScan locally on your project to see if it successfully scans your files. That can help determine if the issue is with the GitLab CI/CD configuration or with the project setup itself.
package.json
is located in the /builds/test/frontend/test-frontend
and Javascript and typescript are in /builds/test/frontend/test-frontend/src
.
How to mention the nodejs-scan to scan into src
directory?"
要在GitLab CI/CD中配置NodeJsScan以扫描位于/builds/test/frontend/test-frontend/src
中的JavaScript和TypeScrip文件,您将需要调整.gitlab-ci.yml
文件中的配置:在运行扫描之前,您可以指定一个自定义脚本以将工作目录更改为src
文件夹.这可以使用shell 命令来完成.
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_DEFAULT_ANALYZERS: "nodejs-scan"
nodejs-scan:
script:
- cd src
- /analyzer run
artifacts:
reports:
sast: gl-sast-report.json
paths:
- gl-sast-report.json
cd src
命令在执行NodeJsScan分析器之前将当前工作目录更改为src
.
[WARN] [NodeJsScan] [2024-01-30T13:11:13Z] ▶ No match in builds/test/frontend/test-frontend
如何使nodejcan能够对项目进行分析?
考虑到NodeJsScan即使在将目录正确更改为src/
之后仍无法扫描项目,该问题似乎与NodeJsScan识别项目中的文件的方式有关.
NodeJsScan might require explicit instructions on which file patterns to scan. You can modify its command to include specific file types.
For instance, scanning all .js
and .tsx
files. That can be done by modifying the /analyzer run
command to include the desired file patterns.
用于测试:
nodejs-scan:
script:
- cd src/
- find . -name "*.js" -o -name "*.tsx" | xargs /analyzer run
artifacts:
reports:
sast: gl-sast-report.json
paths:
- gl-sast-report.json