Move Auto-Remediation out of the Dependency Scanning job

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Currently, the Dependency Scanning job that implements Auto-Remediation handles two tasks:

• scan the project, to report vulnerability findings
• find remediations for these vulnerability findings, and add the remediations to the report

Because it's running in the Dependency Scanning job, the second task (finding remediations) cannot:

• have its specific job rules
• fail explicitly
• run using a different Docker image
• have a dedicated timeout

(Specific timeouts can be implemented in scanner itself, but this would increase the complexity of the code, and make necessary to increase new variables, simply to reproduce what already exist as a built-in feature of GitLab CI.)

Also, having Auto-Remediation for Dependency Scanning running in a dedicated job would make for a better UX, with separate logs, separate job definitions, and separate job on the pipeline page.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

Currently Auto-Remediation for Dependency Scanning is implemented in the Gemnasium analyzer and is executed when running the gemnasium-dependency_scanning.

Proposal

Introduce a new job that performs Auto-Remediation for Dependency Scanning. This job leverages the output of Dependency Scanning:

• vulnerability findings
• dependency graph; see #198034 (closed)

In a first iteration, the scanning job and the auto-remediation job would both run the gemnasium Docker image.

Implementation plan

• introduce a new stage, to be agreed on with devopsverify
• change the Gemnasium CLI so that it can perform auto-remediation for a given Dependency Scanning report
• add new QA job template, and set up auto-remediation QA in js-yarn

Proposal Reviewed

• @d0c-s4vage
• @cam_swords
• @theoretick
• @fcatteau (author)
• @markrian

Permissions and Security

No change.

Documentation

• To be documented in Dependency Scanning documentation.

Availability & Testing

To be tested using separate branches of the test projects. Currently, js-yarn is the only supported test project.

What does success look like, and how can we measure that?

Users have full control over the jobs that run Auto-Remediation for Dependency Scanning. For instance, they can set specific rules for these jobs or set specific timeouts. Users who are already familiar with GitLab CI don't need to read extra documentation to set that up.

What is the type of buyer?

GitLab Ultimate

Links / references

/cc @NicoleSchwartz @gonzoyumo