Open Gemnasium Advisories Database

Problem to solve

Allow users and customers to access Gemnasium Advisories Database to check its content and contribute.

Intended users

• Persona: Security Analyst
• Persona: DevOps Engineer
• Persona: Software developer

Further details

For this first iteration, the main goals are to allow users to:

• search for our advisories
• contribute

Proposal

• Create a new public project security-products/gemnasium-db:
  • Which License to use? EE License first suggested) but doesn't fullfill all our requirements so discussion is still ongoing Specific TERMS have been added to address this.
• Prepare the Gemnasium DB for the export
  • Ensure all advisories have an identifier since this will be used in the exported filename
• Import the full Gemnasium DB into this repo (only one initial import).
  • Decide on which format to use (YAML vs JSON). We'll go with YAML (see discussion here)
  • Import all advisories as YAML files in gemnasium-db (see gitlab-org/security-products/gemnasium-db!3 (merged))
  • [x] Use this repo as SSOT to import/update advisories into Gemnasium DB (so it will stay in sync by design after initial import). Moved to https://gitlab.com/gitlab-org/gitlab-ee/issues/11837. We will periodically resync until this is done.
• Document public workflow to contribute to our advisories db:

  create an issue or an MR to contribute and add an advisory to the DB. Contribution to enriching metadata is open, but merging and publishing to the DB is restricted to maintainers (~Secure team).

  • Add README.md to gemnasium-db (see gitlab-org/security-products/gemnasium-db!1 (merged))
  • Add CONTRIBUTING.md to gemnasium-db (see gitlab-org/security-products/gemnasium-db!2 (merged))

This allows to achieve our goals:

• search for our advisories by leveraging the built-in GitLab project's search
• contribute by:
  • creating an issue to mention a missing advisory
  • creating an MR to Add/Update an advisory

Known limitations:

• there is no way to fetch advisories reported by bundler-audit and retire.js, two other scanners of Dependency Scanning.
• at this point, the creation of new issues/MRs to add advisories to Gemnasium DB is still manual.

Permissions and Security

• Depending under which License the project is published, the contribution on the DB enrichment could be restricted to EE users (having a EE License).
• Merging and publishing to the Gemnasium DB are restricted to ~Secure team members.

Documentation

We need to update https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html to clearly point to this new created project.

• Update GitLab CE doc https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/29205

We also need to document clearly how to contribute.

Testing

Not sure there are things to cover here, except manually going through the published docs and validating the DB filling process.

What does success look like, and how can we measure that?

People can see and contribute to the Gemnasium Advisories DB.

• How many search are executed in the project? (not sure this is achievable 🤔)
• How many issues and MRs are created by people outside of the ~Secure team

What is the type of buyer?

GitLab Ultimate

Links / references