Include all Dependency Scanning tools into Gemnasium
Problem to solve
We currently have Gemnasium to provide Dependency Scanning features, but we are also using a couple of other tools (Retire.js and bundler-audit). Since it could be easier to maintain a single application, we can consider to include everything into Gemnasium.
Benefits:
- only one project to maintain
- auto-remediation available for all detected advisories (if the package manager is supported); right now auto remediation is only available in Gemnasium and porting it to Retire.js doesn't seem realistic - not to mention the extra maintenance cost
-
no orchestrator, no need for Docker-in-Docker; not needed anymore, see #12487 (closed); also we may have to keep multiple CI jobs, with different base images corresponding to various environments, like Python and Java Maven
Challenges and possible limitations:
- right now Gemnasium only detects affected libraries, not affected interpreters
- the Gemnasium DB may not feature all the advisories bundler-audit and retire.js know about
- retire.js detects affected minified libraries based on their filenames (mostly) and fingerprints (rarely); there's no such thing in Gemnasium
- even if we're able to merge gemnasium-maven and gemnasium-python into the main gemnasium project, we may still have to generate 2 specific Docker images, because the base images are different; they target Java Maven and Python, respectively
Proposal
Leverage the new Gemnasium architecture and add an abstraction to leverage three filesystem-based advisory databases:
Alternatively, make sure gemnasium-db contains all the advisories ruby-advisory-db and retire.js have, and that its schema is a superset of retire.js' and ruby-advisory-db's.
Dependencies
Features to be implemented in Gemnasium before it can replace bundler-audit and retire.js:
- add severity to the Security reports; see #8213 (closed)
- report JavaScript vulnerabilities based on filenames and fingerprints, respectively named
extractors
andhashes
in Retire.js - report vulnerabilities for the Ruby interpreter and its Rubygem library, like in rubysec/ruby-advisory-db; see #10588 (closed)