gitlab-runner issueshttps://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner/-/issues2024-03-28T01:43:01Zhttps://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner/-/issues/57chore(findings): gitlab/gitlab-runner/gitlab-runner2024-03-28T01:43:01Zrobotnikchore(findings): gitlab/gitlab-runner/gitlab-runner## Summary
gitlab/gitlab-runner/gitlab-runner has 5 new findings discovered during continuous monitoring.
id | source | severity | package
-- | ------ | -------- | -------
GHSA-8r3f-844c-mc37 | Anchore CVE | Medium | google.golang.org/...## Summary
gitlab/gitlab-runner/gitlab-runner has 5 new findings discovered during continuous monitoring.
id | source | severity | package
-- | ------ | -------- | -------
GHSA-8r3f-844c-mc37 | Anchore CVE | Medium | google.golang.org/protobuf-v1.31.0
GHSA-xw73-rw38-6vjc | Anchore CVE | Medium | github.com/docker/docker-v24.0.7+incompatible
GHSA-xm99-6pv5-q363 | Twistlock CVE | High | github.com/kardianos/service-v1.2.2
CVE-2024-24557 | Twistlock CVE | Medium | github.com/docker/docker-v24.0.7
CVE-2024-28180 | Twistlock CVE | Medium | gopkg.in/square/go-jose.v2-v2.5.1
VAT: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab-runner/gitlab-runner&tag=v16.10.0&branch=master<br>More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab-runner/gitlab-runner&tag=v16.9.0&branch=master
## Tasks
Contributor:
- [ ] Provide justifications for findings in the [VAT](https://vat.dso.mil) ([docs](https://docs-ironbank.dso.mil/hardening/justifications/))
- [ ] Apply the ~"Status::Verification" label to this issue and wait for feedback
Iron Bank:
- [ ] Review findings and justifications
> Note: If the above process is rejected for any reason, the `Verification` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Verification` label.
## Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add `/cc @ironbank-notifications/onboarding`.
Additionally, Iron Bank hosts an [AMA](https://www.zoomgov.com/meeting/register/vJIsdemoqTMpGpm-2c6xjdAm0MLD6vuvu5I) working session every Wednesday from 1630-1730EST to answer questions.Steven TerharSteven Terharhttps://repo1.dso.mil/dsop/gitlab/gitlab-runner/gitlab-runner/-/issues/5216.5.0 image pipeline execution permission issues2024-01-19T20:27:21ZRyan Garcia16.5.0 image pipeline execution permission issues## Summary
new 16.5.0 runner images fail to utilize /builds and `/home/gitlab-runner` when executing a pipeline.
Also emailed Gitlab but wanted to create issue here for visibility and tracking.
## Steps to reproduce
Deploy `v16.5.0...## Summary
new 16.5.0 runner images fail to utilize /builds and `/home/gitlab-runner` when executing a pipeline.
Also emailed Gitlab but wanted to create issue here for visibility and tracking.
## Steps to reproduce
Deploy `v16.5.0` versions of gitlab-runner and gitlab-runner-helper images. Create sample pipeline for Gitlab, run pipeline.
## What is the current bug behavior?
```
Running on runner-ets5f1b-project-1-concurrent-0-71h962d4 via gitlab-runner-5f75d74c57-fvxqj...
Getting source from Git repository 00:01
Fetching changes with git depth set to 20...
warning: unable to access '/home/gitlab-runner/.gitconfig': Permission denied
warning: unable to access '/home/gitlab-runner/.config/git/config': Permission denied
error: could not lock config file /home/gitlab-runner/.gitconfig: Permission denied
ERROR: Job failed: command terminated with exit code 1
Running on runner-ets5f1b-project-1-concurrent-0-71h962d4 via gitlab-runner-5f75d74c57-fvxqj...
Getting source from Git repository 00:01
Fetching changes with git depth set to 20...
warning: unable to access '/home/gitlab-runner/.gitconfig': Permission denied
warning: unable to access '/home/gitlab-runner/.config/git/config': Permission denied
error: could not lock config file /home/gitlab-runner/.gitconfig: Permission denied
ERROR: Job failed: command terminated with exit code 1
```
## What is the expected correct behavior?
(Testing using same gitlab+runner chart as above just with no `securityContext` defined for runners and using upstream `ubi-fips-v16.5.0` images.)
```
Getting source from Git repository 00:01
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/root/testing-stuff/.git/
Created fresh repository.
Checking out 4957cf92 as detached HEAD (ref is main)...
Skipping Git submodules setup
Restoring cache 00:02
Checking cache for default-protected...
No URL provided, cache will not be downloaded from shared cache server. Instead a local version of cache will be extracted.
Successfully extracted cache
Executing "step_script" stage of the job script 00:00
$ echo "dogfood" >> file.txt
Saving cache for successful job 00:01
Creating cache default-protected...
file.txt: found 1 matching artifact files and directories
No URL provided, cache will not be uploaded to shared cache server. Cache will be stored only locally.
Created cache
Uploading artifacts for successful job 00:02
Uploading artifacts...
file.txt: found 1 matching artifact files and directories
Uploading artifacts as "archive" to coordinator... 201 Created id=6 responseStatus=201 Created token=64_AgU2s
Job succeeded
```
## Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output,
logs, and code as it's very hard to read otherwise.)
## Possible fixes
I don't believe a `chown gitlab-runner` is performed for the necessary directories in addition to the `chmods`
## Tasks
- [ ] Bug has been identified and corrected within the container
Please read the [Iron Bank Documentation](https://docs-ironbank.dso.mil/) for more infoSteven TerharSteven Terhar