sbom + cryptographic audit of gemnasium-maven
Problem to solve
All cryptographic modules used must be documented, including version, location(s) used, what they are used to accomplish.
- This information will be required when going through the audit. Best to document it up front.
- Non-FIPS compliant cryptographic modules do not have to be removed from the containers.
- Non-FIPS compliant cryptographic modules can be used in the platform so long as they're not used for security practices. This use must be thoroughly documented.
NIST keeps a validation database of approved/certified FIPS modules. This should be used as a primary resource regarding what we can and cannot use.
Implementation Plan
- Create or update a high level flow diagram (i.e. we get ci variables from the pipeline and then run a build, gather sbom, then use the DB inside the container to check sbom for vulns, then export a report)
- Point out places where encryption is used and what modules are used
- check if those modules are NIST approved
- export sbom
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.