Interpreter and compiler support for Dependency Scanning
Problem to solve
Dependency Scanning currently only supports declared dependencies. These dependencies can only be packages (like ActiveRecord). While we already cover a large part of dependency scanning with that, we still lack the support for interpreters (ex: ruby, python, PHP, etc.) or compilers (go, javac, etc.). These interpreters are also subject to advisories, and currently, we don't report them to the users.
Dependency Scanning should leverage all the information available in the dependency files and manifests, including the version of the interpreter or compiler, when available. Warning! This information might be missing, and so Dependency Scanning should be used along with Container Scanning.
Intended users
- Sasha (Software Developer)
- Sam (Security Analyst)
Further details
This is something required for #10071 (closed), as interpreters have to be installed to run the application code. Compilers can also be subjects to advisories. For example, Go has a very complete standard library. This library is shipping with the compiler, so the only way to remediate security issues in there is to update go itself.
Proposal
- Update Gemnasium to support interpreters and compilers.
- Update Gemnasium to manage security advisories on them
- Fill the DB
Permissions and Security
Nothing specific. Security scans occur during pipeline runs.
Documentation
Update https://docs.gitlab.com/user/project/merge_requests/dependency_scanning.html
What does success look like, and how can we measure that?
User can see interpreters and compilers vulnerabilities in security reports (MR security widget, dashboards, etc.)
ruby-advisory-db becomes redundant with the Gemnasium analyzer and its vulnerability database and is no longer needed, possibly.
What is the type of buyer?
Ultimate
Links / references
- BOM &859 (closed)