Warn in logs about Dependency Scanning jobs security risks
Release notes
Problem to solve
As a user with Dependency Scanning jobs running in my project pipeline, I want to be warned when these a scanning job use vulnerability databases that might be outdated. In particular, I want to be warned when:
- The vulnerability DB being used is not the one maintained by GitLab.
- The update of the vulnerability DB has been disabled.
- The scanner has been configured to fetch a particular version/git ref of the vulnerability DB.
I still want to be able to customize Dependency Scanning using supported CI variables.
Further details
Here are the relevant variables:
BUNDLER_AUDIT_UPDATE_DISABLED
BUNDLER_AUDIT_ADVISORY_DB_URL
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME
GEMNASIUM_DB_UPDATE_DISABLED
GEMNASIUM_DB_REMOTE_URL
GEMNASIUM_DB_REF_NAME
RETIREJS_JS_ADVISORY_DB
RETIREJS_NODE_ADVISORY_DBIt might be relevant to warn about RETIREJS_ADVISORY_DB_INSECURE being set, but this is out of scope.
Implementation plan
This issue is concentrated only on adding this warning to logs. More to expect with #347546 (closed)
- In the Dependency Scanning CI template add a check for the aforementioned CI variables.
- If those variables are set to not-default values, add a message in CI Logs.
- Add a section in the documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#troubleshooting explaining this warning and how to fix it
- Add a link to this documentation to the warning.
This is similar to #337295 (closed).
Availability & Testing
Integration tests to be added to test the scenarios
- The vulnerability DB being used is not the one maintained by GitLab.
- The update of the vulnerability DB has been disabled.
- The scanner has been configured to fetch a particular version/git ref of the vulnerability DB.
Is this a cross-stage feature?
To be checked. It might apply to other security scanning jobs that are highly customizable, and that expose CI variables one could use to exclude vulnerabilities/rules.