Security vulnerabilities finder
Description
Most projects use external libraries. We already warn members when a licence of one of these libraries changes (License finder - https://gitlab.com/gitlab-org/gitlab-ee/issues/1125).
However, we don't warn project members when a security vulnerability is found in one of these libraries. There are a bunch of SAAS which do that already, but there is value in providing this feature inside GitLab directly.
Proposal
- For every commit in a MR, we check if a security vulnerability is found in the external libraries for this project.
- If it does, we display a message in the MR, as well as indications of how to fix this.
- The analysis is based on the content of package managers config files, like Gemfile, composer.json, etc...
| Settings | Vulnerability Finder passed | Vulnerability Finder failed |
|---|---|---|
 |
 |
 |
Links / references
- Appcanary: https://appcanary.com/
- Versioneye: https://versioneye.com
- Hakiri: dependency and code security vulnerabilities Ruby https://hakiri.io/
- Code climate https://codeclimate.com/
- List of vulnerabilities: https://cve.mitre.org/
- Patch-level verification for Bundler https://github.com/rubysec/bundler-audit
- Dependency check https://github.com/jeremylong/DependencyCheck