Support air-gapped (offline) Dependency Scanning for on-prem instances
Problem to solve
Our ~"dependency scanning" tools currently require internet connectivity to run using standard configurations. We should aim to support offline execution and provide clear documentation on how to configure scanners for such installations.
From @fcatteau's comments in parent epic:
I had a look at bundler-audit, retire.js and gemnasium, and currently none of these would work without connecting the CI to the Internet.
retire.js
We have to change analyze.go and set --jsrepo
and --noderepo
to the local paths of the "repositories". See option definition and repository loading.
bundler-audit
The gem already includes a clone of rubysec/ruby-advisory-db, see bundler-audit.gemspec. We have to change analyze.go and remove the --update
option. See README and update! function.
gemnasium
We need to change the Client in order to switch to a git clone/checkout of gemnasium-db instead of connecting to the Gemnasium API.
gemnasium-python and gemnasium-maven would directly benefit from the change after upgrading the gemnasium/v2
dependency in their respective Go modules.
Intended users
Persona: Software developer Persona: Development Team Lead