Description
When running datadog-static-analyzer:latest (v0.7.6), the analyzer fails to fetch default rules from the Datadog API due to an SSL certificate verification error. The same command works successfully when using version 0.7.4 on the same host environment, suggesting a regression in how CA certificates are handled or included in the v0.7.6 Docker image.
Steps to Reproduce
Run the following command using the latest image:
docker run --rm --pull=always --user 1000:1000 \
-e DD_API_KEY=[REDACTED] \
-e DD_APP_KEY=[REDACTED] \
-e DD_SITE=datadoghq.eu \
-w /w ghcr.io/datadog/datadog-static-analyzer:latest \
--directory /w --format sarif --output /w/datadog-code-analysis-sast.sarif --add-git-info --diff-aware
Expected Behavior
The analyzer should successfully connect to https://api.datadoghq.eu and retrieve the default rulesets.
Actual Behavior
The analyzer fails with the following error:
Error: cannot get default rules
Caused by:
0: Could not query the DataDog API at default-rulesets/CSHARP: error sending request for url (https://api.datadoghq.eu/api/v2/static-analysis/default-rulesets/CSHARP)
1: error sending request for url (https://api.datadoghq.eu/api/v2/static-analysis/default-rulesets/CSHARP)
2: client error (Connect)
3: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2123: (unable to get local issuer certificate)
Environment / Version Details
- Failing Version:
ghcr.io/datadog/datadog-static-analyzer:latest (v0.7.6)
- Digest:
sha256:bf9c4a63f5c940199104c6cf36fad3853d9cc562c95bbf91cb1de64003ac5cc6
- Working Version:
ghcr.io/datadog/datadog-static-analyzer:0.7.4
- Digest:
sha256:c8601b217839e6024bb504d1a0505156b456ddc8ce40eb1568a0aa6b2c376f3e
- Host OS: Linux (Amazon Linux/RHEL)
Additional Context
The issue persists even when forced to pull the latest image. Reverting to 0.7.4 resolves the connection issue immediately on the same infrastructure, which indicates the problem is likely contained within the 0.7.6 image's root CA store or the underlying SSL configuration.
Description
When running
datadog-static-analyzer:latest(v0.7.6), the analyzer fails to fetch default rules from the Datadog API due to an SSL certificate verification error. The same command works successfully when using version0.7.4on the same host environment, suggesting a regression in how CA certificates are handled or included in the v0.7.6 Docker image.Steps to Reproduce
Run the following command using the latest image:
Expected Behavior
The analyzer should successfully connect to
https://api.datadoghq.euand retrieve the default rulesets.Actual Behavior
The analyzer fails with the following error:
Environment / Version Details
ghcr.io/datadog/datadog-static-analyzer:latest(v0.7.6)sha256:bf9c4a63f5c940199104c6cf36fad3853d9cc562c95bbf91cb1de64003ac5cc6ghcr.io/datadog/datadog-static-analyzer:0.7.4sha256:c8601b217839e6024bb504d1a0505156b456ddc8ce40eb1568a0aa6b2c376f3eAdditional Context
The issue persists even when forced to pull the latest image. Reverting to
0.7.4resolves the connection issue immediately on the same infrastructure, which indicates the problem is likely contained within the 0.7.6 image's root CA store or the underlying SSL configuration.