[0KRunning with gitlab-runner 13.8.0 (775dd39d)
[0;m[0K  on global-shared-gitlab-runner-89dbd4db8-mnp6b RKzCU9YR
[0;msection_start:1617633520:resolve_secrets[0K[0K[36;1mResolving secrets[0;m
[0;msection_end:1617633520:resolve_secrets[0Ksection_start:1617633520:prepare_executor[0K[0K[36;1mPreparing the "kubernetes" executor[0;m
[0;m[0KUsing Kubernetes namespace: gitlab-runner
[0;m[0;33mWARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
[0;m[0KUsing Kubernetes executor with image ${GITLAB_INTERNAL_REGISTRY}/ironbank-tools/ironbank-pipeline/ib-pipeline-image:0.1 ...
[0;msection_end:1617633520:prepare_executor[0Ksection_start:1617633520:prepare_script[0K[0K[36;1mPreparing environment[0;m
[0;mWaiting for pod gitlab-runner/runner-rkzcu9yr-project-515-concurrent-05ss7s to be running, status is Pending
Waiting for pod gitlab-runner/runner-rkzcu9yr-project-515-concurrent-05ss7s to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Waiting for pod gitlab-runner/runner-rkzcu9yr-project-515-concurrent-05ss7s to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper]"
	ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-rkzcu9yr-project-515-concurrent-05ss7s via global-shared-gitlab-runner-89dbd4db8-mnp6b...
section_end:1617633530:prepare_script[0Ksection_start:1617633530:get_sources[0K[0K[36;1mGetting source from Git repository[0;m
[0;m[32;1mFetching changes with git depth set to 50...[0;m
Initialized empty Git repository in /builds/dsop/opensource/mbtest/mountebank/.git/
[32;1mCreated fresh repository.[0;m
[32;1mChecking out c873d708 as development...[0;m

[32;1mSkipping Git submodules setup[0;m
section_end:1617633530:get_sources[0Ksection_start:1617633530:download_artifacts[0K[0K[36;1mDownloading artifacts[0;m
[0;m[32;1mDownloading artifacts for hardening_manifest (2606401)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=2606401 responseStatus[0;m=200 OK token[0;m=z8yozVDh
[32;1mDownloading artifacts for load scripts (2606399)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=2606399 responseStatus[0;m=200 OK token[0;m=QzJXvw_Q
[32;1mDownloading artifacts for wl compare lint (2606402)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=2606402 responseStatus[0;m=200 OK token[0;m=Dv-T489x
section_end:1617633530:download_artifacts[0Ksection_start:1617633530:step_script[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m
[0;m[32;1m$ mkdir -p "${ARTIFACT_DIR}"[0;m
[32;1m$ set +e[0;m
[32;1m$ python3 "${PIPELINE_REPO_DIR}/stages/vat-finding-compare/vat_findings.py"[0;m
api set length: 150
db set length: 141
Findings are NOT the same!
There are CVEs from the api that are not returned by the query
There are CVEs from the query that are not returned by the api
Please run the development branch for this project before validating query/api data
Findings from api not in direct query
('CVE-2015-8315', 'anchore_cve', 'debug-4.1.1\nOther Advisory URL: https://nodesecurity.io/advisories/46\nCVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8315\nVendor URL: https://github.com/unshiftio/millisecond\nOther Advisory URL: https://nodesecurity.io/advisories/59\nVendor Specific News/Changelog Entry: https://github.com/unshiftio/millisecond/pull/4\nVendor Specific News/Changelog Entry: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836205\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/0f4fd585befe8ce9287f4407cbcd95c63a6f1cfd\nVendor Specific Solution URL: https://github.com/astro/node-stringprep/commit/e9d5b40ab3c6a03546309ba84b08b159b5d0db59\nVendor Specific Solution URL: https://github.com/zeit/ms/pull/89/commits/305f2ddcd4eff7cc7c518aca6bb2b2d2daad8fef\nVendor Specific Solution URL: https://github.com/zeit/ms/pull/89\nOther Advisory URL: https://snyk.io/vuln/npm:ms:20170412\nVendor Specific Solution URL: https://github.com/visionmedia/debug/pull/458\nVendor Specific News/Changelog Entry: https://github.com/visionmedia/debug/blob/master/CHANGELOG.md\nVendor Specific News/Changelog Entry: https://github.com/Automattic/mongoose/blob/master/History.md\nBug Tracker: https://github.com/Automattic/mongoose/issues/5275\nVendor Specific News/Changelog Entry: http://expressjs.com/en/advanced/security-updates.html\nOther Advisory URL: http://www.openwall.com/lists/oss-security/2016/04/20/11\nBugtraq ID: http://www.securityfocus.com/bid/96389\nVendor Specific News/Changelog Entry: https://github.com/visionmedia/debug/releases/tag/4.3.1\nVendor Specific Advisory URL: https://support.f5.com/csp/article/K46337613\n', 'debug-4.1.1', '/opt/mountebank/node_modules/http-proxy-agent/node_modules/debug/package.json')
('CVE-2021-21366', 'anchore_cve', 'xmldom-0.4.0\nCVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21366\nVendor Specific Advisory URL: https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv\nVendor Specific Advisory URL: https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135\nVendor Specific News/Changelog Entry: https://github.com/xmldom/xmldom/releases/tag/0.5.0\nOther Advisory URL: https://www.npmjs.com/advisories/1650\n', 'xmldom-0.4.0', '/opt/mountebank/node_modules/xmldom/package.json')
('CVE-2021-21366', 'twistlock_cve', 'xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.', 'xmldom-0.4.0', None)
('CVE-2017-18589', 'anchore_cve', 'cookie-0.4.0\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-18589', 'cookie-0.4.0', '/opt/mountebank/node_modules/cookie/package.json')
('CVE-2020-28500', 'twistlock_cve', 'Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.', 'lodash-4.17.20', None)
('GHSA-h6q6-9hqw-rwfv', 'anchore_cve', 'xmldom-0.4.0\nhttps://github.com/advisories/GHSA-h6q6-9hqw-rwfv', 'xmldom-0.4.0', '/opt/mountebank/node_modules/xmldom/package.json')
('CVE-2021-23337', 'twistlock_cve', 'Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.', 'lodash-4.17.20', None)
('CVE-2015-8315', 'anchore_cve', 'debug-4.1.1\nOther Advisory URL: https://nodesecurity.io/advisories/46\nCVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-8315\nVendor URL: https://github.com/unshiftio/millisecond\nOther Advisory URL: https://nodesecurity.io/advisories/59\nVendor Specific News/Changelog Entry: https://github.com/unshiftio/millisecond/pull/4\nVendor Specific News/Changelog Entry: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836205\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/0f4fd585befe8ce9287f4407cbcd95c63a6f1cfd\nVendor Specific Solution URL: https://github.com/astro/node-stringprep/commit/e9d5b40ab3c6a03546309ba84b08b159b5d0db59\nVendor Specific Solution URL: https://github.com/zeit/ms/pull/89/commits/305f2ddcd4eff7cc7c518aca6bb2b2d2daad8fef\nVendor Specific Solution URL: https://github.com/zeit/ms/pull/89\nOther Advisory URL: https://snyk.io/vuln/npm:ms:20170412\nVendor Specific Solution URL: https://github.com/visionmedia/debug/pull/458\nVendor Specific News/Changelog Entry: https://github.com/visionmedia/debug/blob/master/CHANGELOG.md\nVendor Specific News/Changelog Entry: https://github.com/Automattic/mongoose/blob/master/History.md\nBug Tracker: https://github.com/Automattic/mongoose/issues/5275\nVendor Specific News/Changelog Entry: http://expressjs.com/en/advanced/security-updates.html\nOther Advisory URL: http://www.openwall.com/lists/oss-security/2016/04/20/11\nBugtraq ID: http://www.securityfocus.com/bid/96389\nVendor Specific News/Changelog Entry: https://github.com/visionmedia/debug/releases/tag/4.3.1\nVendor Specific Advisory URL: https://support.f5.com/csp/article/K46337613\n', 'debug-4.1.1', '/opt/mountebank/node_modules/https-proxy-agent/node_modules/debug/package.json')
('CVE-2020-28500', 'anchore_cve', 'lodash-4.17.20\nVendor Specific Solution URL: https://github.com/lodash/lodash/pull/5065\nCVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28500\nOther Advisory URL: https://attackerkb.com/topics/8BypMyaL5A/cve-2020-28500\nOther Solution URL: https://github.com/lodash/lodash/commit/02906b8191d3c100c193fe6f7b27d1c40f200bb7\nOther Advisory URL: https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\nOther Advisory URL: https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\nOther Advisory URL: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\nOther Advisory URL: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\nOther Advisory URL: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\nOther Advisory URL: https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\nOther Advisory URL: https://snyk.io/vuln/SNYK-JS-LODASH-1018905\nVendor Specific News/Changelog Entry: https://security.netapp.com/advisory/ntap-20210312-0006/\nBug Tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086\n', 'lodash-4.17.20', '/opt/mountebank/node_modules/lodash/package.json')
('CVE-2017-16137', 'anchore_cve', 'debug-4.1.1\nVendor Specific News/Changelog Entry: http://expressjs.com/en/advanced/security-updates.html\nBug Tracker: https://github.com/visionmedia/debug/issues/501\nVendor Specific Solution URL: https://github.com/visionmedia/debug/pull/504\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/42a6ae0737f9243c80b6d3dbb08a69a7ae2a1061\nGeneric Informational URL: https://snyk.io/vuln/npm:debug:20170905\nVendor Specific Advisory URL: https://nodesecurity.io/advisories/534\nVendor URL: https://www.npmjs.com/package/debug\nCVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16137\nGeneric Informational URL: https://www.us-cert.gov/ncas/bulletins/SB18-162\nVendor Specific Advisory URL: https://github.com/visionmedia/debug/issues/797\nMail List Post: https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\nMail List Post: https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\n', 'debug-4.1.1', '/opt/mountebank/node_modules/http-proxy-agent/node_modules/debug/package.json')
('CVE-2017-16137', 'anchore_cve', 'debug-4.1.1\nVendor Specific News/Changelog Entry: http://expressjs.com/en/advanced/security-updates.html\nBug Tracker: https://github.com/visionmedia/debug/issues/501\nVendor Specific Solution URL: https://github.com/visionmedia/debug/pull/504\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/42a6ae0737f9243c80b6d3dbb08a69a7ae2a1061\nGeneric Informational URL: https://snyk.io/vuln/npm:debug:20170905\nVendor Specific Advisory URL: https://nodesecurity.io/advisories/534\nVendor URL: https://www.npmjs.com/package/debug\nCVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16137\nGeneric Informational URL: https://www.us-cert.gov/ncas/bulletins/SB18-162\nVendor Specific Advisory URL: https://github.com/visionmedia/debug/issues/797\nMail List Post: https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\nMail List Post: https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\nVendor Specific Solution URL: https://github.com/visionmedia/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\n', 'debug-4.1.1', '/opt/mountebank/node_modules/https-proxy-agent/node_modules/debug/package.json')
Findings from direct query not in api
('cbff271f45d32e78dcc1979dbca9c14d', 'anchore_comp', 'User root found as effective user, which is explicity not allowed\n Gate: dockerfile\n Trigger: effective_user\n Policy ID: DoDEffectiveUserChecks', None, None)
('41cb7cdf04850e33a11f80c42bf660b3', 'anchore_comp', "Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check\n Gate: dockerfile\n Trigger: instruction\n Policy ID: DoDDockerfileChecks", None, None)
section_end:1617633531:step_script[0Ksection_start:1617633531:upload_artifacts_on_failure[0K[0K[36;1mUploading artifacts for failed job[0;m
[0;m[32;1mUploading artifacts...[0;m
ci-artifacts/compare/: found 2 matching files and directories[0;m 
Uploading artifacts as "archive" to coordinator... ok[0;m  id[0;m=2606403 responseStatus[0;m=201 Created token[0;m=3sJBFLzy
section_end:1617633532:upload_artifacts_on_failure[0Ksection_start:1617633532:cleanup_file_variables[0K[0K[36;1mCleaning up file based variables[0;m
[0;msection_end:1617633532:cleanup_file_variables[0K[31;1mERROR: Job failed: command terminated with exit code 4
[0;m