Warn about Dependency Scanning jobs using a vulnerability DB that might be outdated
Release notes
Problem to solve
As a user with Dependency Scanning jobs running in my project pipeline, I want to be warned when these a scanning job use vulnerability databases that might be outdated. In particular, I want to be warned when:
- The vulnerability DB being used is not the one maintained by GitLab.
- The update of the vulnerability DB has been disabled.
- The scanner has been configured to fetch a particular version/git ref of the vulnerability DB.
I still want to be able to customize Dependency Scanning using supported CI variables.
Further details
The warning can happen at the Configuration page, Merge Request widget, Pipeline Security tab of other places. This is the subject of discussion.
We also might want to expand this issue to provide a more universal solution compatible with other types of Security scanning features.
Proposal
- Expand solution implemented in #337296 (comment 758002838)
- Add warnings in UX.
- Provide a way to add the acknowledge the warning, and persist user preferences
This is similar to #337295 (closed).
Is this a cross-stage feature?
To be checked. It might apply to other security scanning jobs that are highly customizable, and that expose CI variables one could use to exclude vulnerabilities/rules.