Programmatically enforce scanner version in Secure analyzers
Problem to solve
Now that Security report provide Scanner version, not Analyzer version has been completed, Secure analyzers will output a scan.scanner.version
value which provides the version number of the underlying scanner
tool used by the analyzer. We already have a check analyzer version
job which ensures that the analyzer version matches the most recent version from the CHANGELOG.md
file, however, we don't have any way of ensuring that the scanner version included in the scan.scanner.version
field of the secure report matches the one in the Dockerfile
.
The purpose of this issue is to figure out how to ensure that these two values are the same, to prevent the upstream scanner from being updated without also updating the version in the scan.scanner.version
value
Intended users
User experience goal
The version of the scanner from the Dockerfile
must match the version in the scan.scanner.version
field of the secure report
.
Proposal
Replace the following environment variables with a SCANNER_VERSION
environment variable, and reference this using os.Getenv("SCANNER_VERSION")
in the ScannerVersion variable of the metadata.go
file for each of the following projects:
-
SAST -
security-code-scan ENV SECURITY_CODE_SCAN_VERSION ${SECURITY_CODE_SCAN_VERSION:-3.5.3}
-
flawfinder ARG FLAWFINDER_VERSION=2.0.11
-
brakeman RUN gem install brakeman -v 4.9.1
-
spotbugs ENV SPOTBUGS_VERSION ${SPOTBUGS_VERSION:-4.1.2}
-
gosec ARG GOSEC_VERSION=2.4.0
-
bandit ARG BANDIT_VERSION=1.6.2
-
phpcs-security-audit RUN composer require --dev pheromone/phpcs-security-audit 2.0.1
-
sobelow ARG SOBELOW_VERSION=0.10.4
-
pmd-apex ENV PMD_VERSION ${PMD_VERSION:-6.27.0}
-
secrets ENV GITLEAKS_VERSION ${GITLEAKS_VERSION:-v6.1.2}
-
eslint eslint
version is defined in the package.json file. See the discussion here on how to handle this."eslint": "7.9.0",
-
kubesec kubesec
version is defined as a git SHA instead of the tag version, since the kubesec Docker container is tagged with the git SHA. See the discussion here on how to handle this.FROM kubesec/kubesec:da10552
-
nodejs-scanThenodejs
version is defined as a git SHA. This will not be implemented because thenodejs-scan
analyzer will be rewritten, as explained here.ENV NODEJS_SCAN_VERSION=${NODEJS_SCAN_VERSION:-657c60f6582cc8e489e5ba2a183a00c8c5617317}
-
-
Dependency Scanning -
bundler-audit ARG BUNDLER_AUDIT_VERSION="0.7.0.1"
-
retire.js ENV RETIRE_JS_VERSION ${RETIRE_JS_VERSION:-2.2.1
-
gemnasium-python Analyzer and scanner version are the same, no change necessary -
gemnasium-maven Analyzer and scanner version are the same, no change necessary -
gemnasium Analyzer and scanner version are the same, no change necessary
-
-
Container Scanning -
klar ARG CLAIR_REPO_TAG=v2.1.4
-
Further details
We need a way to programmatically enforce that the version of the scanner in the Dockerfile
is the same one as output by the scan.scanner.version
field in the secure report
, since adding a rule to the README
is not sustainable - eventually someone will forget to update this value. We need this process to be automated to prevent making a mistake.
Availability & Testing
Ensure that it's not possible to have a mismatch of versions between the scanner version specified in the Dockerfile
and the one reported by scan.scanner.version
What does success look like, and how can we measure that?
A mismatched version will cause an error, or it simply isn't possible to have mismatched versions
What is the type of buyer?
Enterprise Edition GitLab Ultimate
Is this a cross-stage feature?
Yes, this affects all secure analyzers
Links / references
See this discussion for more details