Dependency Scanning Conan support using conan.lock behind feature flag or not announced until vulnerability DB has content
NOTE if you are a user who also would like to see this feature, please UPVOTE
Problem to solve
C / C++ are both in the top 10 languages used at GitLab, GitHub, and have been requested by our potential and current users. We need to expand support for ~"Category:Dependency Scanning" in order to support these languages.
This must work with offline.
Please see: Engineering research - Decide next language to add to Dependency Scanning
Intended users
User experience goal
no change, identical to other supported managers
Proposal
- Add Conan as a supported package manager, and scan
conan.lock
. This file is generated by Conan when runningconan graph lock
. - Add metrics if needed (if #229617 finished you may need to, if it is not yet finished make sure #229617 includes Conan)
- In parallel, request Conan vulnerabilities be ingested
- Update user documentation when both scanner is available and security advisories are ingested
Further details
Conan lock files conan.lock
can be supported in Gemnasium. These files are generated when running conan graph lock
.
Conan uses node-semver (Python package) in its version ranges, so vrange/npm could probably be reused to match a Conan version against the affected range of a Conan-related security advisory, without any modification.
Dependency file support (as opposed to lock file) could later be implemented by running conan graph lock
to generate the lock file before parsing it. This lock file parsers would be reused.
Implementation plan
Add advisories to the vulnerability database:
-
provide information about new package type gitlab-org/security-products/gemnasium-db#139 (closed) -
start ingest advisories #229734 (closed)
Set up a test project
-
create a test project that provides a conan.lock
gitlab-org/security-products/tests/c-conan!3 (merged)
Update Gemnasium gitlab-org/security-products/analyzers/gemnasium!98 (merged)
-
implement lock file parser in gemnasium, to parse conan.lock
-
make sure vrange/npm can be used for Conan advisories, and enable it for Conan -
add test project to QA, in the CI config
Update Dependency Scanning template !39811 (merged)
-
update the rules:exists
of thegemnasium-dependency_scanning
job to matchconan.lock
, in the Dependency Scanning CI template -
update https://gitlab.com/gitlab-org/security-products/tests/c-conan to fetch the CI template from the master branch of gitlab
gitlab-org/security-products/tests/c-conan!6 (merged)
Update Dependency Scanning docs
-
update the list of supported languages and package managers; See documentation !40699 (merged)
Update Rails Frontend
-
format Conan package manager in dependency list !40811 (merged)
Permissions and Security
There should be no changes to ~"Category:Dependency Scanning" permissions.
Documentation
This should work as documented for the other ~"Category:Dependency Scanning" supported languages and frameworks
Please add this to the supported languages and frameworks table, be explicit about versions and lock files
Please add any variables, notes or warnings that are needed for this into the user documentation. For example what type of lock files are expected or looked at and links to places where they can see how they turn on their lock files (external docs)
Please link to the feedback issue: #227875 to allow people to request other versions.
Availability & Testing
You must have a test project, and basic tests, specific to making sure Conan is supported that will run each release to ensure nothing breaks (if a parameter is changed and is not backwards compatible)
This must be incorporated into both online and offline test suites. Work with Quality to accomplish, they will setup what to mimic, and you will implement based on the pattern.
The test project should also be documented in the list of test projects quality is maintaining.
What does success look like, and how can we measure that?
Users with Conan projects get Dependency Scanning reports. They can see the dependencies of their Conan projects in the Dependency List, and are notified about vulnerabilities affecting these dependencies.
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.