Engineering Research: Which language framework / package manager should be next for Auto Remediation support for Dependency Scanning

Problem to solve

Auto Remediation recommends merge requests to automatically fix vulnerabilities.

It currently supports Dependency Scanning findings, but only for Yarn based projects which is very limited coverage.

Target audience

• Sasha, Software Developer
• Sam, Security Analyst

Proposal

We should add more package managers in the supported list but we need insights to decide on how to prioritize them.

Developer should review the currently supported package managers and evaluate which would be easiest to add suggested solution for, and a rough idea of the work needed to proceed (include a POC if needed) to workflowplanning breakdown

• present at least one search algorithm we might use to implement suggested solutions, and see what it requires; it might be worth exploring another approach to be used when the first once doesn't fit the language
• write down a list of requirements to add suggested solutions support for a particular package manager
• based on that, tell which package managers satisfy these requirements
• implement a PoC for this package manager, if needed

What does success look like, and how can we measure that?

We know for each supported language/package manager which one we can provide suggested solutions for and what the effort is.

Discovery conclusions

PHP Composer seems to be the best next package manager for Auto Remediation.

• The composer.json dependency file can easily be edited programmatically, and dependencies can also be added to it using the CLI.
• The CLI makes it possible to selectively update any transient dependency. Conservative upgrade can be achieved.
• The composer.lock lock file (JSON file) contains all the information needed to build a dependency graph, and it can be easily parse.
• It's easy to query the requirements of a given package on packagist.org (public registry) or using the CLI.
• It supports local repositories, so it should be able to inject advisories as virtual packages, if we want to take this approach to find auto remediation solutions.
• PHP Composer support is implemented in gemnasium, as opposed to gemnasium-maven or gemnasium-python, and it's easier to implement auto-remediation in that context, until we eventually merge all Gemnasium-based projects. See #198361 (closed)

JavaScript npm would be the second choice. It doesn't support selective upgrade of transient dependencies, but it's built on top of JSON files, has a powerful CLI, and makes it easy to query package versions and get their dependencies/requirements. Also, it support local packages, and provides an easy way to inject advisories as virtual packages.

That said, npm is somewhat redundant with yarn, which is already supported (though support is very limited).

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.