Pin gemnasium-db in analyzer test projects
Problem to solve
Expectations of our test projects are painful to update constantly as new vulnerabilities are released for existing packages.
Intended users
groupcomposition analysis backend team members
Proposal
- To avoid distraction and reduce the pain we should pin the version of the gemnasium-DB we use in test projects. We can then bump it periodically to get newer vulnerabilities and avoid regression on them.
We should leverage the semantic versioning now available on gemnasium-db
Implementation Plan
-
Go through test projects for DS and configure GEMNASIUM_DB_REF_NAME
tov1.2.142
-
gemnasium-python -
gemnasium-maven -
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules -
https://gitlab.com/gitlab-org/security-products/tests/scala-sbt -
https://gitlab.com/gitlab-org/security-products/tests/java-gradle-multimodules -
https://gitlab.com/gitlab-org/security-products/tests/java-gradle-kotlin-dsl -
https://gitlab.com/gitlab-org/security-products/tests/java-maven -
master -
no_dind-FREEZE -
java-8 -
java-11 -
java-13 -
java-14
-
-
https://gitlab.com/gitlab-org/security-products/tests/java-gradle -
no_dind-FREEZE -
java-13 -
java-11 -
java-8 -
java-14
-
-
-
gemnasium -
https://gitlab.com/gitlab-org/security-products/tests/c-conan -
https://gitlab.com/gitlab-org/security-products/tests/js-yarn -
no_dind-FREEZE
-
-
https://gitlab.com/gitlab-org/security-products/tests/js-npm -
no_dind-FREEZE
-
-
https://gitlab.com/gitlab-org/security-products/tests/csharp-nuget-dotnetcore -
https://gitlab.com/gitlab-org/security-products/tests/php-composer -
no_dind-FREEZE
-
-
https://gitlab.com/gitlab-org/security-products/tests/go-modules -
no_dind-FREEZE
-
-
https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler -
no_dind-FREEZE -
no_dind-bundler2-FREEZE
-
-
https://gitlab.com/gitlab-org/security-products/tests/ruby-bundler-rails
-
-
-
Update related docs in https://gitlab.com/gitlab-org/security-products/tests/common
Documentation
- The periodical update process must be defined somewhere (handbook?)
What does success look like, and how can we measure that?
Expectations of test projects will need less frequent updates.
Links / references
Edited by Adam Cohen