Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaves behind artifacts as root user #22

Open
ron-spree opened this issue Jun 29, 2023 · 2 comments
Open

Leaves behind artifacts as root user #22

ron-spree opened this issue Jun 29, 2023 · 2 comments

Comments

@ron-spree
Copy link

Scenario:

Invoked as a github actions, running on self-hosted runners
Runners are using runner.runner for their UID/GID

Running with:

  depcheck:
    runs-on: self-hosted
    name: OWASP DepCheck
    steps: 
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: ${{ github.event.repository.name }}
          path: '.'
          format: 'HTML'
          args: >
            --failOnCVSS 7
            --enableRetired

      - name: Upload OWASP Test results
        uses: actions/upload-artifact@master
        with:
          name: Depcheck report
          path: ${{github.workspace}}/reports

This leaves behind artifacts (in the workspace's reports folder) as root.root, and subsequent steps or jobs run on the same machine will fail.

For example, running this (after a scan)

steps:
      - name: Checkout Reset for next validations
        uses: actions/checkout@v2

Will have this error (with Github Actions debugging enabled):

Cleaning the repository
  /usr/bin/git clean -ffdx
  warning: failed to remove reports/dependency-check-report.html: Permission denied
  Removing node_modules/
  ##[debug]The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '/runner/_work/test-demo/test-demo'.
  ::endgroup::
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/runner/_work/test-demo/test-demo'
##[debug]Unsetting HOME override
::remove-matcher owner=checkout-git::
##[debug]Removed matchers: 'checkout-git'
Error: Command failed: rm -rf /runner/_work/test-demo/test-demo/reports
rm: cannot remove '/runner/_work/test-demo/test-demo/reports/dependency-check-report.html': Permission denied

That location on the runners now has:
drwxr-xr-x 4 runner runner 34 Jun 29 00:23 .
drwxr-xr-x 3 runner runner 26 Jun 5 14:10 ..
drwxr-xr-x 2 root root 42 Jun 29 00:14 reports

I would guess it might be because of this:
https://github.com/dependency-check/Dependency-Check_Action/blob/main/Dockerfile#L11

(Sets USER root )

Since packages are not being installed anymore:
cd2308e

is the root user still needed?
@javixeneize
Copy link

Hi. That’s an interesting one. I agree with you, I don’t think root is needed anymore, however the entrypoint sh will need to be copied to another folder instead of /

Would you be happy to do a PR removing the line to set the root user, and also modify the path of the entrypoint, so you will appear as a contributor here ;)

thanks

@romeupalos
Copy link

I'm also affected by this issue.
It would be nice to have it run as unprivileged user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javixeneize @romeupalos @ron-spree