enable users to augment the advisory-DB privately
Note to wider-community, sales, support and customer success
As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Release notes
Problem to solve
It has been mentioned once that a user wished to augment (add to) our advisory DB which is used when scanning our dependencies, but not publically (through our public process) as they did not want other users to have the vulnerabilities.
This could be in cases if private internal repos for example.
If this issue gets upvoted or comments the objective would be to consider a mechanism for users to keep their local advisory-db (as they would have to maintain a local copy and change their configuration as per our offline documentation to utilize it) and also have a way to inject/keep their own private advisories in it, and perhaps be able to back it up.
we would need to design the synchronication method, and document the injection method (perhaps even streamline it), adn well as reference / point to how to back it up.
Potentially this could be broken into multiple issues under an epic.
Intended users
Metrics
User experience goal
Proposal
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
SEO
inject into vulnerability database, add into vulnerability database, custom vuln-db