Rename gemnasium-db to advisories
Problem to solve
- Naming Confusion: Currently, we are storing all dependency scanning advisories in the gemnasium-db repository. Based on the name, for customers/contributors it may not be obvious that this repository is the official GitLab Advisory Database.
-
Naming Inconsistency: We are exposing a web portal that provides a more user-friendly and searchable way of finding advisories through https://advisories.gitlab.com/. The data that is exposed through https://advisories.gitlab.com/ is originating from gemnasium-db. Due to the inconsistent names (
advisories.gitlab.com
vsgemnasium-db
) it is not really clear that there is a relation between them.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
Rename the gemnasium-db
repository to advisories
to be consistent with https://advisories.gitlab.com/ and to make it easier to find the official GitLab Advisory Database repository based on its name.
Update the Gemnasium analyzers (gemnasium
, gemnasium-maven
, and gemnasium-python
), and change the default values for GEMNASIUM_DB_REMOTE_URL
and GEMNASIUM_DB_WEB_URL
. These variables are used to pull the vulnerability database (before running the scan), and to link to the advisories, respectively. The default values are currently set in the Dockerfile of each analyzer project.
Documentation
We would have to update the GitLab Handbook pages to reflect this change.
Risks
This change impacts groupvulnerability research and groupcomposition analysis.
The Gemnasium-based analyzers (gemnasium
, gemnasium-maven
, and gemnasium-python
) are affected because the pull data from gemnasium-db
, and link to it (in the report). However, after the renaming, their requests are going to be redirected to the new repository anyway.