Report vulnerable dependency paths for Bundler (Ruby)
Problem to solve
Dependency Scanning should report the dependency paths for vulnerable dependencies found in Ruby projects using Bundler, so that these paths can be shown in the UI, including in the dependency list. See #227620 (closed)
Proposal
Update the lock file parser specific to this package manager, and make it able to build the dependency graph.
Implementation plan
This depends on Migrate existing lock file parsers to new Depen... (#474314 - closed)
-
Update the specific lock file parser so that it lists dependency links
- An unfinished example can be found in Extract graph info from Gemfile.lock [gemnasium... (gitlab-org/security-products/analyzers/gemnasium!406 - closed)
- The DEPENDENCIES section contains the project's direct dependencies.
- An entry that starts with 6 spaces indicates that you have reached the child dependency state (dependency of a dependency)
- Add unit test for expected packages and dependencies
- Update Dependency Scanning documentation to show that dependency paths are supported for this particular package manager
Permissions and Security
N/A
Documentation
Dependency Path support for this particular package manager should be documented in Dependency Scanning documentation.
Availability & Testing
To be tested doing automatically when doing QA for the analyzer project and checking the generated report.
What does success look like, and how can we measure that?
The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.
What is the type of buyer?
Links / references
How To extract Dependency tree for Gemfile
Parsing the Gemfile with the following steps:
-
Find the Main Dependencies
We look for theDEPENDENCIESsection. This is the list of libraries your project directly depends on. -
Find Sub-Dependencies
In the
GEMsection, each library and its sub-dependencies are shown with indentation.- 4 spaces indicate the start of a "main dependency".
- 6 spaces indicate a "sub-dependency" of the main dependency.
Example from Gemfile.lock:
GEM rails (7.0.0) actionpack (7.0.0) activerecord (7.0.0) nokogiri (1.13.0) libxml2 (2.9.10) -
Get the "Real"(installed) Version of Sub-Dependencies:
We scan the entire GEM section to find the actual installed version of a sub-dependency.
-
Build the Tree
We connect the relationships, showing which libraries depend on which. We store this data in a list where each "parent" library points to its "child" dependencies.
Designs
Is blocked by
Relates to
- #22981917.75
- #22981717.44
Activity
added to epic &3843 (closed)
removed milestone %13.4
marked this issue as related to #229840 (closed)
changed milestone to %Backlog
added sectionsec label
changed epic to &3858
added AST Leadership label
removed workflowscheduling label
changed epic to &7288 (closed)
added featureaddition label
mentioned in merge request gitlab-org/security-products/analyzers/gemnasium!406 (closed)
@brytannia FYI we now have a Community contribution for this issue. I've checked the implementation plan it looks like it's been refined, so I'm moving it to workflowin dev. (I guess it didn't have the workflowrefinement label b/c it was created before that label was introduced.)
Could you confirm that this stays in the %Backlog since we're not committing to shipping this with a specific version of GitLab?
Also, as a reviewer for the MR, should I assign the issue to myself? I did that in the past, but I'm not totally sure I should do it that way, and I can't find anything about this in https://docs.gitlab.com/ee/development/contributing/.
Thanks for providing guidance!
@fcatteau sorry for a long reply but I think that we have already discussed this topic in person. So I'll recap for visibility.
Let's leave this issue in backlog as it's not our priority and we don't have a timeline that we can commit to it.
Concerning assignee, for general GitLab contribution, author of the solution is assigned to the issue. If the author of MR doesn't want to be assigned to this issue, I'd leave it unassigned.
added workflowin dev label
removed milestone %Backlog
added CA PM Priority label
removed from epic &7288 (closed)
added to epic &7288 (closed)
changed milestone to %Backlog
marked this issue as related to #229819 (closed)
marked this issue as related to #229817 (closed)
changed epic to &14484 (closed)
added workflowrefinement label and removed workflowin dev label
Moving back to workflowrefinement since quite some time has passed since initial refinement.
added workflowready for development label and removed workflowrefinement label
marked this issue as blocked by #474314 (closed)
added workflowblocked label and removed workflowready for development label
changed milestone to %17.4
removed blocked label
added Deliverable workflowready for development labels and removed workflowblocked label
changed milestone to %17.5
The analytics instrumentation label is automatically applied when featureaddition and workflowready for development labels are applied. We encourage teams to plan for instrumentation at the time of feature development for new features. This label helps groupanalytics instrumentation to proactively reach out to teams that require instrumentation support. In case instrumentation does not apply to this feature, please feel free to remove the label.
added analytics instrumentation label
mentioned in issue #451091 (closed)
mentioned in issue gitlab-org/quality/triage-reports#19808 (closed)
assigned to @ifrenkel
mentioned in issue gitlab-org/quality/triage-reports#19918 (closed)
Putting this back into backlog #451091 (comment 2130165969)
changed milestone to %Backlog
unassigned @ifrenkel
removed Deliverable label
assigned to @Joey_Khabie
added workflowin dev label and removed workflowready for development label
added Deliverable label
changed milestone to %17.6
mentioned in issue #482903 (closed)
mentioned in epic gitlab-org#7288 (closed)
mentioned in issue gitlab-org/quality/triage-reports#20331 (closed)
mentioned in issue gitlab-org/quality/triage-reports#20447 (closed)
Update 11-01-2024
I did not work on it in the past week since I was needed in kev exporting to GCP bucket
I will continue working on this issue today .
/cc @tkopel
mentioned in issue gitlab-org/quality/triage-reports#20584 (closed)
-
@hacks4oats , I'm not sure how the output of parsing the dependencies tree in this case should look like , There are 2 differents JSON outputs for Maven and pipenv, so there is no a common structure for dependency tree:
In Maven, 1 dependency object looks like that:
{ "from": { "name": "org.powermock/powermock-api-support", "version": "1.7.3" }, "to": { "name": "org.powermock/powermock-reflect", "version": "1.7.3" }, "range": "1.7.3", "dev": true },In pipenv , 1 dependency object looks like that:
{ "key": "google-auth", "package_name": "google-auth", "installed_version": "2.33.0", "required_version": ">=2.14.1,<3.0.0dev,!=2.25.0,!=2.24.0", "dependencies": [ { "key": "cachetools", "package_name": "cachetools", "installed_version": "5.4.0", "required_version": ">=2.0.0,<6.0", "dependencies": [] }, }Is there a prefered structure to create ?
@Joey_Khabie @hacks4oats is PTO. Are you blocked? @ifrenkel is DRI on the epic while he's away. Anything I can do to help?
I'll take a look and get back to you today (UTC-4) @Joey_Khabie.
@Joey_Khabie your second example is the fixture input file. There is a piplock parser (using PIpfile.lock) and a pipenv graph parser (using pipenv.graph.json). These are both input files into the analyzer and you can find the expected output for these in the
expectdirectory of a parser: dependencies.json.The structure of the output will always be the same once the parser implements the Parse func (example).
PS: I think the fixtures for pipenv graph are confusing because they both have the lock and the json file. These were there to show how the json was generated but probably should be removed.
mentioned in issue gitlab-org/quality/triage-reports#20752 (closed)
mentioned in issue #482904 (closed)
mentioned in merge request gitlab-org/security-products/analyzers/dependency-scanning!81 (merged)
mentioned in merge request gitlab-org/security-products/analyzers/dependency-scanning!82 (merged)
-
changed milestone to %17.7
-
update 11-14-2024
This feature is still under development.
Need to add:
- Unit tests
- Make sure the feature outputs both dep tree file and all packages.
You can take a look at the MR
/cc- @tkopel
Edited by Joey Khabie mentioned in issue gitlab-org/quality/triage-reports#20832 (closed)
removed workflowin dev label
added workflowin review label
mentioned in epic gitlab-org#14484 (closed)
changed milestone to %17.8
added missed:17.7 label
added missed-deliverable label
-
@Joey_Khabie what's the status here? Didn't we finish?
removed workflowin review label
added workflowcomplete label
-
MR was merged .
