Open Gemnasium Advisories Database
Problem to solve
Allow users and customers to access Gemnasium Advisories Database to check its content and contribute.
For this first iteration, the main goals are to allow users to:
- search for our advisories
Create a new public project
- Prepare the Gemnasium DB for the export
- Ensure all advisories have an identifier since this will be used in the exported filename
- Import the full Gemnasium DB into this repo (only one initial import).
- Decide on which format to use (YAML vs JSON). We'll go with YAML (see discussion here)
- Import all advisories as YAML files in gemnasium-db (see gitlab-org/security-products/gemnasium-db!3 (merged))
[x] Use this repo as SSOT to import/update advisories into Gemnasium DB (so it will stay in sync by design after initial import).Moved to https://gitlab.com/gitlab-org/gitlab-ee/issues/11837. We will periodically resync until this is done.
- Document public workflow to contribute to our advisories db:
create an issue or an MR to contribute and add an advisory to the DB. Contribution to enriching metadata is open, but merging and publishing to the DB is restricted to maintainers (~Secure team).
README.mdto gemnasium-db (see gitlab-org/security-products/gemnasium-db!1 (merged))
CONTRIBUTING.mdto gemnasium-db (see gitlab-org/security-products/gemnasium-db!2 (merged))
This allows to achieve our goals:
- search for our advisories by leveraging the built-in GitLab project's search
- contribute by:
- creating an issue to mention a missing advisory
- creating an MR to Add/Update an advisory
- there is no way to fetch advisories reported by
retire.js, two other scanners of Dependency Scanning.
- at this point, the creation of new issues/MRs to add advisories to Gemnasium DB is still manual.
Permissions and Security
- Depending under which License the project is published, the contribution on the DB enrichment could be restricted to EE users (having a EE License).
- Merging and publishing to the Gemnasium DB are restricted to ~Secure team members.
We need to update https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html to clearly point to this new created project.
- Update GitLab CE doc https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/29205
We also need to document clearly how to contribute.
Not sure there are things to cover here, except manually going through the published docs and validating the DB filling process.
What does success look like, and how can we measure that?
People can see and contribute to the Gemnasium Advisories DB.
- How many search are executed in the project? (not sure this is achievable
- How many issues and MRs are created by people outside of the ~Secure team