Error: No such container:path
john047 opened this issue · comments
What happened:
Error: No such container:path: 211304:/opt/horusec/horusec-report.json
How to reproduce it (as minimally and precisely as possible):
my job for release branch:
horusec_sast:
stage: check-code
image: docker:19.03.12
rules:
- if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
allow_failure: true
script:
- docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O horusec-report.json
- docker cp ${CI_JOB_ID}:/opt/horusec/horusec-report.json ${CI_PROJECT_DIR}/horusec-report.json
# remove image
- docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
- docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true
# remove stopped containers
- docker rm -f $(docker ps -a -q --filter 'exited=0') || true
artifacts:
paths:
- horusec-report.json
expire_in: 1 weeks
Anything else we need to know?:
this job works correctly for test branch ($CI_COMMIT_REF_NAME == "test"), but when I merge to release branch I get following error:
$ docker cp ${CI_JOB_ID}:/opt/horusec/horusec-report.json ${CI_PROJECT_DIR}/horusec-report.json
Error: No such container:path: 211304:/opt/horusec/horusec-report.json
Environment:
- Horusec version (use
horusec version):
Version: v2.8.0
Git commit: df32c1c
Built: Wed Jun 08 13:57:08 2022
Distribution: normal
What am I doing wrong?
Help, please!
Hello @john047
From what I understand you are trying to acquire the output in json format, for this I recommend using the volumes functionality instead of the docker copy so it would be easier, it would be something like:
horusec_sast:
stage: check-code
image: docker:19.03.12
rules:
- if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
allow_failure: true
script:
- mkdir -p ${CI_PROJECT_DIR}/../horusec-output
- docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/../horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
# you can see your report here
- cat ${CI_PROJECT_DIR}/../horusec-output/horusec-report.json
# remove image
- docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
- docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true
# remove stopped containers
- docker rm -f $(docker ps -a -q --filter 'exited=0') || true
artifacts:
paths:
- horusec-report.json
expire_in: 1 weeks
Hello @wiliansilvazup
I tried two options for runnig a job.
The first one as you suggested:
horusec_sast:
stage: check-code
image: docker:19.03.12
rules:
- if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
allow_failure: true
script:
- mkdir -p ${CI_PROJECT_DIR}/../horusec-output
- docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/../horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
# you can see your report here
- cat ${CI_PROJECT_DIR}/../horusec-output/horusec-report.json
# remove image
- docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
- docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true
# remove stopped containers
- docker rm -f $(docker ps -a -q --filter 'exited=0') || true
artifacts:
paths:
- horusec-report.json
expire_in: 1 weeks
got following logs:
$ mkdir -p ${CI_PROJECT_DIR}/../horusec-output
$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/../horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
time="2022-06-28T12:38:12Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-28T12:38:12Z" level=warning msg="Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings."
time="2022-06-28T12:38:12Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/opt/horusec/.horusec/708ab691-5690-4d7a-ac76-a7a1ed820fa0]"
time="2022-06-28T12:38:22Z" level=info msg="{HORUSEC_CLI} Writing output JSON to file in the path: /opt/horusec-output/horusec-report.json"
time="2022-06-28T12:38:22Z" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"
time="2022-06-28T12:38:22Z" level=warning msg="YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!"
time="2022-06-28T12:38:22Z" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
$ cat ${CI_PROJECT_DIR}/../horusec-output/horusec-report.json
cat: can't open '/builds/group/subgroup/project/../horusec-output/horusec-report.json': No such file or directory
ERROR: Job failed: exit code 1
What does the construction /../ above mean (in command mkdir -p ${CI_PROJECT_DIR}/../horusec-output)?
The second:
horusec_sast:
stage: check-code
image: docker:19.03.12
rules:
- if: $CI_COMMIT_REF_NAME =~ /^release-.*$/
allow_failure: true
script:
- mkdir -p ${CI_PROJECT_DIR}/horusec-output
- docker run --name ${CI_JOB_ID} -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
# you can see your report here
- cat ${CI_PROJECT_DIR}/horusec-output/horusec-report.json
# remove image
- docker rmi -f $(docker images --filter=reference=horuszup/horusec-cli:latest --format "{{.ID}}") || true
- docker rmi $(docker images -q -f "dangling=true" -f "label=autodelete=true") || true
# remove stopped containers
- docker rm -f $(docker ps -a -q --filter 'exited=0') || true
artifacts:
paths:
- horusec-report.json
expire_in: 1 weeks
and got logs:
$ mkdir -p ${CI_PROJECT_DIR}/horusec-output
$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}/horusec-output:/opt/horusec-output -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest horusec start -p /opt/horusec -P ${CI_PROJECT_DIR} -o json -O /opt/horusec-output/horusec-report.json
time="2022-06-28T12:41:15Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-28T12:41:15Z" level=warning msg="Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings."
time="2022-06-28T12:41:15Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/opt/horusec/.horusec/c2a2ede7-5c33-45aa-9666-bc6dccf6fb21]"
time="2022-06-28T12:41:38Z" level=info msg="{HORUSEC_CLI} Writing output JSON to file in the path: /opt/horusec-output/horusec-report.json"
time="2022-06-28T12:41:38Z" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"
time="2022-06-28T12:41:38Z" level=warning msg="YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!"
time="2022-06-28T12:41:38Z" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
$ cat ${CI_PROJECT_DIR}/horusec-output/horusec-report.json
cat: can't open '/builds/group/subgroup/project/horusec-output/horusec-report.json': No such file or directory
ERROR: Job failed: exit code 1
Config of gitlab-runner - config.toml: privileged = true, volumes = [“/var/run/docker.sock:/var/run/docker.sock”, “/cache”].
I can also say that it is possible that when the utility is launched through the docker run, the directory with the project is not mounted, since when changing the сonfig of gitlab-runner to volumes = [“/var/run/docker.sock:/var/run/docker.sock”, “/cache”, "/builds:/builds"], the job logs will indicate that vulnerabilities were found, although it is clear above that they are not (YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!). Unfortunately, this setting leads to the inoperability of deploying services and has been removed from the config of gitlab-runner.
For the utility to work, do I need to use the services as written in the documentation?
https://docs.horusec.io/docs/cli/installation/#gitlab-cicd
As I wrote above, the directory with the project is not mounted:
horusec_sast:
stage: check-code
image: docker:19.03.12
script:
- ls -la ${CI_PROJECT_DIR}
- docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest ls -la /opt/horusec
logs:
$ ls -la ${CI_PROJECT_DIR}
total 52
drwxrwxrwx 4 root root 4096 Jun 28 19:49 .
drwxrwxrwx 4 root root 4096 Jun 28 19:49 ..
-rw-rw-rw- 1 root root 127 Jun 28 19:49 .dockerignore
drwxrwxrwx 6 root root 4096 Jun 28 19:49 .git
-rw-rw-rw- 1 root root 7495 Jun 28 19:49 .gitignore
-rw-rw-rw- 1 root root 306 Jun 28 19:49 .gitlab-ci.yml
-rw-rw-rw- 1 root root 889 Jun 28 19:49 Dockerfile
-rw-rw-rw- 1 root root 1033 Jun 28 19:49 README.md
-rw-rw-rw- 1 root root 6237 Jun 28 19:49 Developer.sln
-rw-rw-rw- 1 root root 2033 Jun 28 19:49 Developer.sln.DotSettings
drwxrwxrwx 10 root root 4096 Jun 28 19:49 src
$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v ${CI_PROJECT_DIR}:/opt/horusec horuszup/horusec-cli:latest ls -la /opt/horusec
total 36
drwxr-xr-x 8 root root 4096 Jun 28 19:44 .
drwxr-xr-x 1 root root 4096 Jun 28 19:49 ..
drwxr-xr-x 2 root root 4096 Jun 28 12:41 horusec-output
-rw-r--r-- 1 root root 408 Jun 28 08:32 horusec-report.json
drwxr-xr-x 2 root root 4096 Jun 23 06:56 mnt
drwxr-xr-x 2 root root 4096 Jun 20 21:55 odc-reports
drwxr-xr-x 2 root root 4096 Jun 23 07:09 shared
drwxr-xr-x 2 root root 4096 Jun 28 12:23 tmp.BMhcfm
drwxr-xr-x 2 root root 4096 Jun 28 12:21 tmp.BkJKmf
How to solve this problem?
Please explain how services and socket can work together?
After all, there must be one thing, either a service or a socket.
https://docs.horusec.io/docs/cli/installation/#gitlab-cicd
I still do not have a solution to the problem of mounting a directory with a project!
A lot of time has already been spent on solving the problem of mounting a directory with a project.
According to the documentation, I cannot configure the use of the utility!
By next job (2nd command in script) I can access repository files:
horusec_sast:
stage: check-code
image: docker:19.03.12
script:
- export CONTAINER_ID=$(docker ps -q -f "label=com.gitlab.gitlab-runner.job.id=$CI_JOB_ID" -f "label=com.gitlab.gitlab-runner.type=build")
- docker run -v /var/run/docker.sock:/var/run/docker.sock --volumes-from ${CONTAINER_ID} -w /builds/${CI_PROJECT_PATH} horuszup/horusec-cli:latest ls -la
- docker run -v /var/run/docker.sock:/var/run/docker.sock --volumes-from ${CONTAINER_ID} -w /builds/${CI_PROJECT_PATH} horuszup/horusec-cli:latest horusec start -p ./ -P ${CI_PROJECT_DIR} -o json -O horusec-report.json
BUT! In 3rd command in the script above I can't do it!
I get errors:
time="2022-06-30T08:02:48Z" level=warning msg="{HORUSEC_CLI} Config file not found"
time="2022-06-30T08:02:48Z" level=warning msg="{HORUSEC_CLI} When starting the analysis WE SKIP A TOTAL OF 30 FILES that are not considered to be analyzed. To see more details use flag --log-level=debug"
time="2022-06-30T08:02:48Z" level=warning msg="Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings."
time="2022-06-30T08:02:48Z" level=warning msg="{HORUSEC_CLI} PLEASE DON'T REMOVE \".horusec\" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6]"
⣷ Scanning code ...time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
⣾ Scanning code ...time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:51Z" level=error msg="{HORUSEC_CLI} Error when create container of analysis: " error="Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=info msg="{HORUSEC_CLI} Writing output JSON to file in the path: /builds/group/subgroup/project/horusec-report.json"
time="2022-06-30T08:02:52Z" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"
time="2022-06-30T08:02:52Z" level=warning msg="YOUR ANALYSIS HAD FINISHED WITHOUT ANY VULNERABILITY!"
time="2022-06-30T08:02:52Z" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
==================================================================================
time="2022-06-30T08:02:52Z" level=warning msg="{HORUSEC_CLI} During execution we found some problems:"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool Trivy: trivy config cmd: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool Semgrep: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool SecurityCodeScan: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
time="2022-06-30T08:02:52Z" level=error msg="{HORUSEC_CLI} Error while running tool DotnetCli: Error response from daemon: invalid mount config for type \"bind\": bind source path does not exist: /builds/group/subgroup/project/.horusec/a247795d-9099-4898-81e4-1bf95e500ca6"
Config of gitlab-runner has privileged = true.
I ask for help!
Can someone from here help?
@john047 About the problem I tested in a gitlab configuration and it worked fine, however when checking the output of the first attempt horusec could not find any vulnerability so the file will not be created. Try adding a vulnerability and see what the output will look like in this case. For example Create a test yaml file with an exposed password something like:
test:
envs:
- PASSWORD: "CHECK IF THIS WILL WORKS"
And check if you will found the report expected. For me works fine :)
@wiliansilvazup, yes your advice works but when I run it manual the tool finds two vulnerabilities:
- "details": "Hard-coded password - from yaml file how mentioned above
- "details": "Running containers with 'root' user can lead to a container escape situation - from Dockerfile
And i got 26 vulnerabilities when i ran the tool via docker run!
Why is the scan result different in giltab, manual (from binary file) and docker run?