doc/user/application_security/sast/troubleshooting.md
{{< details >}}
{{< /details >}}
The following troubleshooting scenarios have been collected from customer support cases. If you experience a problem not addressed here, or the information here does not fix your problem, see the GitLab Support page for ways to get help.
Debug-level logging can help when troubleshooting. For details, see debug-level logging.
The GitLab-managed SAST CI/CD template controls which analyzer jobs run and how they're configured. While you use the template, you might experience a job failure or other pipeline error. For example, you might:
'<your job>' needs 'spotbugs-sast' job, but 'spotbugs-sast' is not in any previous stage when you view an affected pipeline.If you're experiencing a job failure or seeing a SAST-related yaml invalid pipeline status, you can temporarily revert to an older version of the template so your pipelines keep working while you investigate the issue. To use an older version of the template, change the existing include statement in your CI/CD YAML file to refer to a specific template version, such as v15.3.3-ee:
include:
remote: 'https://gitlab.com/gitlab-org/gitlab/-/raw/v15.3.3-ee/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml'
If your GitLab instance has limited network connectivity, you can also download the file and host it elsewhere.
You should only use this solution temporarily. Return to the standard template as soon as possible.
GitLab SAST analyzers are released as container images. If you're seeing a new error that doesn't appear to be related to the GitLab-managed SAST CI/CD template or changes in your own project, you can try pinning the affected analyzer to a specific older version. You should only use this solution temporarily. Return to the standard template as soon as possible.
Each analyzer project has a CHANGELOG.md file listing the changes made in each available version.
The SAST job's log may include error messages that help pinpoint the root cause. Below are some of the error messages and recommended actions.
exec /bin/sh: exec format error` message in job log
GitLab SAST analyzers only support running on the amd64 CPU architecture.
This message indicates that the job is being run on a different architecture, such as arm.
Error response from daemon: error processing tar file: docker-tar: relocation error
This error occurs when the Docker version that runs the SAST job is 19.03.0. Consider updating to
Docker 19.03.1 or greater. Older versions are not affected. For more details, see
issue 13830 -
"Current SAST container fails".
gl-sast-report.json: no matching files
For information on this, see the general Application Security troubleshooting section.
sast is used for configuration only, and its script should not be executed
For information on this, see the GitLab Secure troubleshooting section.
An error occurred while creating the merge requestWhen attempting to enable SAST on a project by using the UI, the operation can fail with the warning:
An error occurred while creating the merge request.
This issue can occur because something prevents the branch being created for the merge request.
When configuring SAST by using the UI, a branch with a numeric suffix is created, for example set-sast-config-1.
Features such as a push rule that validates branch names
may block the creation of the branch because of the naming format.
To resolve this issue, edit the push rule so that it allows the branch naming format required by SAST.
The SAST CI template
uses the rules:exists parameter. For performance reasons, a maximum number of 10000 matches are
made against the given glob pattern. If the number of matches exceeds the maximum, the rules:exists
parameter returns true. Depending on the number of files in your repository, a SAST job might be
triggered even if the scanner doesn't support your project. For more details about this limitation,
see the rules:exists documentation.
Below are details of the most common SpotBugs errors that occur, and recommended actions.
These errors occur when UTF-8 encoding isn't enabled on a SpotBugs build and there are UTF-8 characters in the source code. To fix this error, enable UTF-8 for your project's build tool.
For Gradle builds, add the following to your build.gradle file:
compileJava.options.encoding = 'UTF-8'
tasks.withType(JavaCompile) {
options.encoding = 'UTF-8'
}
For Maven builds, add the following to your pom.xml file:
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
If your spotbugs-sast job is failing at the build step with the message "Project couldn't be built", it's most likely because:
The SpotBugs-based analyzer is only used for scanning Groovy code, but it may trigger in other cases, such as when all SAST jobs run unexpectedly.
The solution depends on whether you need to scan Groovy code:
spotbugs-sast job.When a spotbugs-sast job is running you might get an error that states java.lang.OutOfMemoryError. This issue occurs when Java has run out of memory while scanning.
To try to resolve this issue you can:
JAVA_OPTS to replace the default -XX:MaxRAMPercentage=80 (for example: -XX:MaxRAMPercentage=90).spotbugs-sast job.If your job log contains a message of the form "Exception analyzing ... using detector ..." followed by a Java stack trace, this is not a failure of the SAST pipeline. SpotBugs has determined that the exception is recoverable, logged it, and resumed analysis.
The first "..." part of the message is the class being analyzed - if it's not part of your project, you can likely ignore the message and the stack trace that follows.
If, on the other hand, the class being analyzed is part of your project, consider creating an issue with the SpotBugs project on GitHub.
This occurs when Flawfinder encounters an invalid UTF-8 character. To fix this, apply their documented advice to your entire repository, or only per job using the before_script feature.
You can configure the before_script section in each .gitlab-ci.yml file, or use a pipeline execution policy to install the encoder and run the converter command. For example, you can add a before_script section to the flawfinder-sast job generated from the security scanner template to convert all files with a .cpp extension.
---
pipeline_execution_policy:
- name: SAST
description: 'Run SAST on C++ application'
enabled: true
pipeline_config_strategy: inject_ci
content:
include:
- project: my-group/compliance-project
file: flawfinder.yml
ref: main
flawfinder.yml:
include:
- template: Jobs/SAST.gitlab-ci.yml
flawfinder-sast:
before_script:
- pip install cvt2utf
- cvt2utf convert "$PWD" -i cpp
If Semgrep is slow, reports too many false positives or false negatives, crashes, fails, or is otherwise broken, see the Semgrep docs for troubleshooting GitLab SAST.