Nodejscan in Gitlab SAST gives no matches found

Question

I am using the official template of SAST in my .gitlab-ci.yml

sast:
  stage: test
include:
- template: Security/SAST.gitlab-ci.yml

The pipeline runs and the Nodejsscan throws below message

[WARN] [NodeJsScan] No match in /builds/test/frontend/test-frontend

The path builds/test/frontend/test-frontend contains package.json in the top level of the repo only.

After adding the src directory also, it shows No matches

$ cd src/
$ ls
App.scss
App.test.tsx
App.tsx
assets
components
containers
environments
fonts.scss
hooks
index.scss
index.tsx
models
react-app-env.d.ts
serviceWorker.ts
services
setupTests.ts
testHelpers.ts
testsMockData.ts
variables.scss
viewModels
$ /analyzer run
[INFO] [NodeJsScan] [2024-01-30T13:11:13Z] ▶ GitLab NodeJsScan analyzer v4.1.8
[INFO] [NodeJsScan] [2024-01-30T13:11:13Z] ▶ Detecting project
[WARN] [NodeJsScan] [2024-01-30T13:11:13Z] ▶ No match in builds/test/frontend/test-frontend

How to enable the nodejscan to analyze the project

Answer 1

Check if this is similar to this thread, with a warning about gl-sast-report.json not being found as an artifact: it is similar to the warning you are receiving in your pipeline.

• The gl-sast-report.json file is expected to be generated by the SAST job and should be declared as an artifact for the job to capture.
• Users in the thread attempted different configurations to correctly capture this file as an artifact.
• One suggestion was to make sure the include statements for SAST templates were correctly placed in the .gitlab-ci.yml file.
• Another point of discussion was whether the SAST job was actually creating the gl-sast-report.json file.

So make sure your .gitlab-ci.yml is correctly configured to generate and capture gl-sast-report.json.
The relevant portion (with artifacts:reports:sast) should be:

sast:
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - 'gl-sast-report.json'

Enable CI_DEBUG_TRACE as a variable in your job to get more verbose logs. And confirm whether the SAST job is actually generating the gl-sast-report.json file. If the file is not being created, the problem might lie with the SAST scanner's operation rather than the CI/CD configuration.

---

There are 2 issues here. One is artifact are not getting uploaded and Nodejscan throws a warning message ([WARN] [NodeJsScan] No match in /builds/test/frontend/test-frontend)

No code scanning happened in the Nodejscan job. Since no code can has been performed, the gl-sast-report.json not created.
How to make sure the Nodejscan job to scan the project?

Make sure your JavaScript or TypeScript files are located in the directory /builds/test/frontend/test-frontend. NodeJsScan needs to find the files it is supposed to scan. If your files are in a different directory, you will need to adjust the path in the CI/CD configuration.

Check your .gitlab-ci.yml file to make sure it is properly set up for NodeJsScan. The NodeJsScan job should be configured to point to the directory where your JavaScript/TypeScript files are located. For instance:

include:
    - template: Security/SAST.gitlab-ci.yml

variables:
    SAST_DEFAULT_ANALYZERS: "nodejs-scan"

nodejs-scan:
    script:
    - /analyzer run
    artifacts:
    reports:
        sast: gl-sast-report.json
    paths:
        - gl-sast-report.json

NodeJsScan typically expects a package.json file in the scanned directory. Make sure this file is present and correctly set up.
Try running NodeJsScan locally on your project to see if it successfully scans your files. That can help determine if the issue is with the GitLab CI/CD configuration or with the project setup itself.

---

package.json is located in the /builds/test/frontend/test-frontend and Javascript and typescript are in /builds/test/frontend/test-frontend/src.
How to mention the nodejs-scan to scan into src directory?"

To configure NodeJsScan in GitLab CI/CD to scan the JavaScript and TypeScript files located in /builds/test/frontend/test-frontend/src, you will need to adjust the configuration in your .gitlab-ci.yml file: you can specify a custom script to change the working directory to the src folder before running the scan. That can be done using shell commands.

include:
    - template: Security/SAST.gitlab-ci.yml

variables:
    SAST_DEFAULT_ANALYZERS: "nodejs-scan"

nodejs-scan:
    script:
    - cd src
    - /analyzer run
    artifacts:
    reports:
        sast: gl-sast-report.json
    paths:
        - gl-sast-report.json

The cd src command changes the current working directory to src before executing the NodeJsScan analyzer.

---

[WARN] [NodeJsScan] [2024-01-30T13:11:13Z] ▶ No match in builds/test/frontend/test-frontend

How to enable the nodejscan to analyze the project?

Given that NodeJsScan still fails to scan the project even after correctly changing the directory to src/, it seems the issue might be related to how NodeJsScan is recognizing the files in your project.

NodeJsScan might require explicit instructions on which file patterns to scan. You can modify its command to include specific file types.
For instance, scanning all .js and .tsx files. That can be done by modifying the /analyzer run command to include the desired file patterns.

For testing:

nodejs-scan:
  script:
    - cd src/
    - find . -name "*.js" -o -name "*.tsx" | xargs /analyzer run
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json

Answer 2

Adding jest.config.js to the project root fixed "No match in" for me. It can even be an empty file:

touch jest.config.js

Once NodeJsScan runs correctly the report is generated and uploading it as an artifact succeeds as well.