Dependency-Check_Action icon indicating copy to clipboard operation
Dependency-Check_Action copied to clipboard
verified publisher icon dependency-check

Leaves behind artifacts as `root` user

Open ron-spree opened this issue 2 years ago • 2 comments

Scenario:

Invoked as a github actions, running on self-hosted runners Runners are using runner.runner for their UID/GID

Running with:

  depcheck:
    runs-on: self-hosted
    name: OWASP DepCheck
    steps: 
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: ${{ github.event.repository.name }}
          path: '.'
          format: 'HTML'
          args: >
            --failOnCVSS 7
            --enableRetired

      - name: Upload OWASP Test results
        uses: actions/upload-artifact@master
        with:
          name: Depcheck report
          path: ${{github.workspace}}/reports

This leaves behind artifacts (in the workspace's reports folder) as root.root, and subsequent steps or jobs run on the same machine will fail.

For example, running this (after a scan)

steps:
      - name: Checkout Reset for next validations
        uses: actions/checkout@v2

Will have this error (with Github Actions debugging enabled):

Cleaning the repository
  /usr/bin/git clean -ffdx
  warning: failed to remove reports/dependency-check-report.html: Permission denied
  Removing node_modules/
  ##[debug]The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '/runner/_work/test-demo/test-demo'.
  ::endgroup::
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/runner/_work/test-demo/test-demo'
##[debug]Unsetting HOME override
::remove-matcher owner=checkout-git::
##[debug]Removed matchers: 'checkout-git'
Error: Command failed: rm -rf /runner/_work/test-demo/test-demo/reports
rm: cannot remove '/runner/_work/test-demo/test-demo/reports/dependency-check-report.html': Permission denied

That location on the runners now has: drwxr-xr-x 4 runner runner 34 Jun 29 00:23 . drwxr-xr-x 3 runner runner 26 Jun 5 14:10 .. drwxr-xr-x 2 root root 42 Jun 29 00:14 reports

I would guess it might be because of this: https://github.com/dependency-check/Dependency-Check_Action/blob/main/Dockerfile#L11

(Sets USER root )

Since packages are not being installed anymore: https://github.com/dependency-check/Dependency-Check_Action/commit/cd2308ea86de95ab6fdfebcfd2b9c88f25330438

is the root user still needed?

ron-spree avatar Jun 29 '23 01:06 ron-spree

Hi. That’s an interesting one. I agree with you, I don’t think root is needed anymore, however the entrypoint sh will need to be copied to another folder instead of /

Would you be happy to do a PR removing the line to set the root user, and also modify the path of the entrypoint, so you will appear as a contributor here ;)

thanks

javixeneize avatar Jun 29 '23 07:06 javixeneize

I'm also affected by this issue. It would be nice to have it run as unprivileged user.

romeupalos avatar Jan 18 '24 02:01 romeupalos