Node.js GitLab SAST中的Nodejcan未找到匹配项

判断这是否类似于this thread，并显示关于gl-sast-report.json未被发现为构件的警告:它类似于您在管道中收到的警告.

• gl-sast-report.json文件预计将由SAST作业(job)生成，并且应该声明为作业(job)要捕获的构件.
• 线程中的用户try 不同的配置以正确地将此文件捕获为构件.
• 一项建议是确保SAST模板的include条语句正确地放置在.gitlab-ci.yml文件中.
• 讨论的另一个问题是SAST作业(job)是否真的在创建gl-sast-report.json文件.

So make sure your .gitlab-ci.yml is correctly configured to generate and capture gl-sast-report.json.
The relevant portion (with artifacts:reports:sast) should be:

sast:
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - 'gl-sast-report.json'

在作业(job)中启用CI_DEBUG_TRACE作为变量，以获取更详细的日志(log).并确认SAST作业(job)是否确实在生成gl-sast-report.json文件.如果没有创建文件，问题可能出在SAST scanner 的操作上，而不是CI/CD配置上.

这里有两个问题.一个是未上载的构件，Nodejcan抛出警告消息([WARN] [NodeJsScan] No match in /builds/test/frontend/test-frontend)

No code scanning happened in the Nodejscan job. Since no code can has been performed, the gl-sast-report.json not created.
How to make sure the Nodejscan job to scan the project?

确保您的JavaScript或TypeScrip文件位于目录/builds/test/frontend/test-frontend中.NodeJsScan需要找到它应该扫描的文件.如果您的文件位于不同的目录中，则需要调整CI/CD配置中的路径.

判断您的.gitlab-ci.yml文件，确保为NodeJsScan正确设置了该文件.NodeJsScan作业(job)应配置为指向您的JavaScript/tyescript文件所在的目录.例如:

include:
    - template: Security/SAST.gitlab-ci.yml

variables:
    SAST_DEFAULT_ANALYZERS: "nodejs-scan"

nodejs-scan:
    script:
    - /analyzer run
    artifacts:
    reports:
        sast: gl-sast-report.json
    paths:
        - gl-sast-report.json

NodeJsScan typically expects a package.json file in the scanned directory. Make sure this file is present and correctly set up.
Try running NodeJsScan locally on your project to see if it successfully scans your files. That can help determine if the issue is with the GitLab CI/CD configuration or with the project setup itself.

package.json is located in the /builds/test/frontend/test-frontend and Javascript and typescript are in /builds/test/frontend/test-frontend/src.
How to mention the nodejs-scan to scan into src directory?"

要在GitLab CI/CD中配置NodeJsScan以扫描位于/builds/test/frontend/test-frontend/src中的JavaScript和TypeScrip文件，您将需要调整.gitlab-ci.yml文件中的配置:在运行扫描之前，您可以指定一个自定义脚本以将工作目录更改为src文件夹.这可以使用shell 命令来完成.

include:
    - template: Security/SAST.gitlab-ci.yml

variables:
    SAST_DEFAULT_ANALYZERS: "nodejs-scan"

nodejs-scan:
    script:
    - cd src
    - /analyzer run
    artifacts:
    reports:
        sast: gl-sast-report.json
    paths:
        - gl-sast-report.json

cd src命令在执行NodeJsScan分析器之前将当前工作目录更改为src.

[WARN] [NodeJsScan] [2024-01-30T13:11:13Z] ▶ No match in builds/test/frontend/test-frontend

如何使nodejcan能够对项目进行分析？

考虑到NodeJsScan即使在将目录正确更改为src/之后仍无法扫描项目，该问题似乎与NodeJsScan识别项目中的文件的方式有关.

NodeJsScan might require explicit instructions on which file patterns to scan. You can modify its command to include specific file types.
For instance, scanning all .js and .tsx files. That can be done by modifying the /analyzer run command to include the desired file patterns.

用于测试:

nodejs-scan:
  script:
    - cd src/
    - find . -name "*.js" -o -name "*.tsx" | xargs /analyzer run
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json