Vulnerabilities for Maven artifacts not hosted on Maven Central
Problem to solve
Currently, Dependency Scanning for Java is limited to Maven artifacts hosted on Maven Central, but there are other public Maven repos that may host vulnerable artifacts.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
Dependency Scanning for Java is implemented in gemnasium-maven. It lists the project dependencies using the Gemnasium Maven Plugin, and then compare the artifacts it finds (group id, artifact id, version) with the vulnerabilities listed in gemnasium-db, the vulnerability database. This implementation assumes that vulnerable artifacts are hosted on Maven Central. It may work with other public Maven repositories but 1. this has to be proven and 2. the vulnerability DB only covers Maven Central at the moment.
Proposal
Make sure Dependency Scanning for Java can process artifacts that are not hosted on Maven Central, and report vulnerabilities for these:
- add security advisories to gemnasium-db for Maven artifacts available on public Maven repos, but not on Maven Central
- add these as dependencies of the java-maven test project
- make all the necessary adjustments (TBD) until QA job passes; QA job is based on the java-maven test project
This works if the names of the artifacts (group id and artifact id) don't collide, but this is to be proven.
By design, the case where Maven Central only hosts/serves some versions of the artifacts (but not all of them) should be already covered. More specifically, gemnasium-maven should be able to report a vulnerability for a Java dependency even if the affected, fixed, or installed versions are not available on Maven Central. See #14630 (closed). This is to be double-checked.
Permissions and Security
Unchanged.
Documentation
GitLab doc needs to be updated.
Testing
Covered by java-maven test project.
What does success look like, and how can we measure that?
Security advisories for Maven packages/artifacts not hosted on Maven Central can be added to gemnasium-db, the vulnerability DB. Dependency Scanning successfully reports vulnerabilities in Java projects depending on the affected versions of these artifacts, according to the security advisories.
What is the type of buyer?
Links / references
/cc @gonzoyumo @NicoleSchwartz @vklevko @fcbrooks @LisavandeKooij @julianthome @ifrenkel