Interpreter and compiler support for Dependency Scanning

Problem to solve

Dependency Scanning currently only supports declared dependencies. These dependencies can only be packages (like ActiveRecord). While we already cover a large part of dependency scanning with that, we still lack the support for interpreters (ex: ruby, python, PHP, etc.) or compilers (go, javac, etc.). These interpreters are also subject to advisories, and currently, we don't report them to the users.

Dependency Scanning should leverage all the information available in the dependency files and manifests, including the version of the interpreter or compiler, when available. Warning! This information might be missing, and so Dependency Scanning should be used along with Container Scanning.

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

This is something required for #10071 (closed), as interpreters have to be installed to run the application code. Compilers can also be subjects to advisories. For example, Go has a very complete standard library. This library is shipping with the compiler, so the only way to remediate security issues in there is to update go itself.

Proposal

• Update Gemnasium to support interpreters and compilers.
• Update Gemnasium to manage security advisories on them
• Fill the DB

Permissions and Security

Nothing specific. Security scans occur during pipeline runs.

Documentation

Update https://docs.gitlab.com/user/project/merge_requests/dependency_scanning.html

What does success look like, and how can we measure that?

User can see interpreters and compilers vulnerabilities in security reports (MR security widget, dashboards, etc.)

ruby-advisory-db becomes redundant with the Gemnasium analyzer and its vulnerability database and is no longer needed, possibly.

What is the type of buyer?

Ultimate

Links / references

• BOM &859 (closed)