Host Git-based Dependency Scanning vulnerability databases entirely on GitLab.com

Problem to solve

This issue mostly applies to self-hosted GitLab instances, but it may apply to GitLab.com users too I suppose.

The Dependency Scanning feature of GitLab pulls Git-based vulnerability databases from multiple locations across various GitHub and GitLab projects, some of which are seemingly not operated by GitLab. For ease-of-adoption, security reasons, and to ensure databases come from a reputable source, we'd like to see all of these vulnerability databases hosted on GitLab.com under an official GitLab group and repo (even if it's just an automatic mirror of the upstream location).

For example, our corporate environment limits access to Git repositories on the open Internet. If all of the repositories come from a similar location, this makes configuration of things like network ACLs easier and less brittle.

It also gives security/accreditation folks a little bit more confidence if the entire product (Dependency Scanning) including its dependencies come from GitLab rather than from various sources.

In our specific case, we intend to just set up an automatic mirror to our self-hosted GitLab so that our dependency scans use local database sources. So this should not appreciably increase the network load to GitLab.com (if that's an issue, but I doubt it is).

Intended users

Proposal

#. GitLab (the company) sets up Git mirrors of any of the Dependency Scanning vulnerability database repos on GitHub or other locations in a well-known location in gitlab-org. #. Update the Dependency Scanning analyzer binary default vulnerablity database locations to these new mirrored locations #. Update depscan documentation to mention the new defaults (should still have ability to customize these locations if necessary using env vars)

Documentation

  • The Dependency Scanning documentation needs to be updated with the new vulnerability database default locations on gitlab.com

Links / references