Skip to content

Link vulnerability reported by the Gemnasium analyzer to the corresponding advisory in the gemnasium-db repository

Summary

Vulnerabilities reported by the Gemnasium analyzer have a URL for the primary identifier that sometimes points to a 404 as we no longer push advisories to https://deps.sec.gitlab.com/.

Also, the information found on https://deps.sec.gitlab.com/ might be out of sync with https://gitlab.com/gitlab-org/security-products/gemnasium-db, causing confusion.

Steps to reproduce

  • Find a vulnerability reported by Gemnasium analyzer (Dependency Scanning)
  • Open the modal
  • Click on the first identifier which points to a 404 on https://deps.sec.gitlab.com/

Example Project

The bug is visible on the js-npm security dashboard, when clicking on the highlighted issue and then the gemnasium identifier (see below), one is taken to this empty page on deps.sec.gitlab.com when instead one should be redirected to the gemnasium-db repo.

security dashboard highlighted issue

issue popup highlighted identifier

What is the current bug behavior?

The links point to a 404 on https://deps.sec.gitlab.com/

What is the expected correct behavior?

The links point to the corresponding YAML file in the gemnasium-db repository.

Users can check the YAML file and contribute updates.

Possible fixes

Update the URL value of the gemnasium identifier to point to the corresponding file in the gemnasium-db repository. We need to consider a possible local repository so we can't just hardcode a link to the https://gitlab.com/gitlab-org/security-products/gemnasium-db project.

Implementation Plan

Edited by Fabien Catteau