Define process and tools to keep the Gemnasium DB up to date with external sources
Problem to solve
With #11169 (closed) we're making the Gemnasium DB content publicly visible and open for contribution.
We also need to define the process to synchronize with external sources to fill this database when new vulnerabilities are disclosed.
Intended users
- GitLab team members, particularly ~Secure team for now.
Proposal
-
Document which sources to track and how to sync gemnasium-db with them; see gitlab-org/security-products/gemnasium-db!18 (merged) Define how to organize the tools we leverage to keep our DB in sync with these sources (put them insecurity-products/gemnasium-db-toolbox
project too?)
What does success look like, and how can we measure that?
~Secure team members and any contributors know which sources to track and how to keep gemnasium-db project in sync with them.
- How many advisories are added to the gemnasium-db project from external sources.
What is the type of buyer?
Links / references
Edited by Olivier Gonzalez