RCA of Dependency Scanning vulnerability database issue
Please note: if the incident relates to sensitive data, or is security related consider labeling this issue with security and mark it confidential.
Dependency Scanning had a bug which caused its internal vulnerability database to lag behind the live vulnerability database gemnasium-db. This resulted in users having dependency scans with outdated results.
- Service(s) affected : Dependency Scanning Category:Dependency Scanning
- Team attribution : Composition Analysis groupcomposition analysis
- Minutes downtime or degradation : This issue has been present in the code since 2020-03-30
Impact & Metrics
|What was the impact||Projects running dependency scans had intermittently outdated data.|
|Who was impacted||Users with projects running Dependency Scanning.|
|How did this impact customers||Customers could have received false negatives.|
The vulnerability database got updated intermittently (rather than on every scan) every time a new version of the
gemnasium analyzer was released.
gemnasium-maven analyzers use
advisory package for updating their vulnerability database and were affected by the bug as well. For a list of affected languages and package managers see the
gemnasium-python entries in the docs.
Detection & Response
Start with the following:
|When was the incident detected?||2020-12-17|
|How was the incident detected?||Vulnerability Research team noticed detection of newly added advisories not working.|
|Did alarming work as expected?||A bug was opened with the groupcomposition analysis team.|
|How long did it take from the start of the incident to its detection?||11 months|
|How long did it take from detection to remediation?||1 release|
|What steps were taken to remediate?||Reproduce issue, fix, issue new releases for affected analyzers.|
gemnasium analyzer affected versions
|Date new version released||gemnasium version||# of days vuln db stale|
gemnasium-python analyzer affected versions
|Date new version released||gemnasium-python version||gemnasium version||# of days vuln db stale|
gemnasium-maven analyzer affected versions
|Date new version released||gemnasium-maven version||gemnasium version||# of days vuln db stale|
Bug fix rollout
A fix for this bug was released in gemnasium v2.28.1 and subsequently in gemnasium-maven v2.20.4 and gemnasium-python v2.17.3. The default Dependency Scanning template always points to the latest major tag of the analyzer (i.e.
gemnasium-python:2). This means that when a new version of the analyzer is released, the major tag is moved to point at that new version. Users that are using
gitlab.com runners, container registry, and original Dependency Scanning template will have the new analyzer version available to them on the very next scan after the bug fix release.
Users in the following categories would need to take a manual action of pulling the relevant analyzer docker version into their container registry:
gitlab.comusers with their own docker runners and a pull-policy other than
- self managed users with gitlab runners using pull-policy with a setting other than
- users with an edited Dependency Scanning template with analyzers pinned to a non-major-only tag (say
gemnasium:2.27.0) pointing to a version between
Note: If a customer is on an affected version but is moving their own
gemnasium-db tags to update the advisory database, then they are unaffected by this bug.
Root Cause Analysis
A bug was introduced in the Dependency Scanning detection analyzer gemnasium. Specifically, the issue was in the advisory package which uses gemnasium-db git repo as the data source and refreshes this data via
git commands. advisory.Update syncs with its advisory db remote at scan-time in order to pull in the freshest version of the database.
The feature delivered with version
v2.8.1 added functionality for using commit refs and tags alongside branches. In this version bug was introduced in the way
git handles updates: if the build-time branch matched the scan-time branch (i.e. the branch was already checked out), no update would be conducted because
git would assume it has the latest copy.
In order to have a full set of advisories and not pull data needlessly on every scan,
gemnasium also builds with its own version of the advisory database. It then also tries to refresh this database at scan-time using the
GEMNASIUM_DB_REF_NAME environment variable - this was the part affected. Thus, the "freshness" of advisories was dictated by the analyzer's last build time (see the timeline section).
What went well
- Good team collaboration to get issue tested and thoroughly reviewed.
- QA test environment caught a possible regression in the release process (i.e. we added tests more some facets of this vuln db update behavior).
What can be improved
- We need to add a class of integration tests for the update logic of the vulnerability database.
- The projects we use for integration tests never change unless we add new scanning capabilities and need the test project to reflect this. This makes simulation of "real" user scenarios more difficult. We should discuss how to add a "realistic" subset to test projects.
- Add a set of test scenarios specifically for the vulnerability database feature (regression test with better coverage was added alongside the fix).