Increase discoverability of the GitLab Advisory database, allow customer to self-serve and check CVE presence
Release notes
Problem to solve
We've received support request for help issues related to explaining why certain packages have their licenses listed as unknown
. Example.
The goal is to reduce the number of customer support issues and the number of support request for help issues that fit the scenario above.
Proposal
Increase discoverability of the GitLab Advisory database to allow customers to self-serve and check CVEs presence on their own rather than going through support.
With the new architecture developed for Continuous Vulnerability Scans we have a few possible approaches:
- Extend and advertise the existing https://advisories.gitlab.com/ website that is based on the GitLab Advisory Database git repository
- boring solution, quick iteration
- only available for Dependency Scanning CVEs (not for Operating System packages)
- Build this on top of the Package Metadata DB
- can be used to display OS package advisories too as it is a shared platform for Dependency Scanning and Container Scanning
- Build this as a feature within the GitLab rails application:
- can be based on the data specifically available to this instance (maps with what the scanners in this instance can detect)
- can be used to display OS package advisories too as it is a shared platform for Dependency Scanning and Container Scanning
Intended users
Feature Usage Metrics
Does this feature require an audit event?
Edited by Thiago Figueiró