An error occurred while fetching the assigned iteration of the selected issue.
Include all Dependency Scanning tools into Gemnasium
Problem to solve
We currently have Gemnasium to provide Dependency Scanning features, but we are also using a couple of other tools (Retire.js and bundler-audit). Since it could be easier to maintain a single application, we can consider to include everything into Gemnasium.
Benefits:
- only one project to maintain
- auto-remediation available for all detected advisories (if the package manager is supported); right now auto remediation is only available in Gemnasium and porting it to Retire.js doesn't seem realistic - not to mention the extra maintenance cost
-
no orchestrator, no need for Docker-in-Docker; not needed anymore, see #12487 (closed); also we may have to keep multiple CI jobs, with different base images corresponding to various environments, like Python and Java Maven
Challenges and possible limitations:
- right now Gemnasium only detects affected libraries, not affected interpreters
- the Gemnasium DB may not feature all the advisories bundler-audit and retire.js know about
- retire.js detects affected minified libraries based on their filenames (mostly) and fingerprints (rarely); there's no such thing in Gemnasium
- even if we're able to merge gemnasium-maven and gemnasium-python into the main gemnasium project, we may still have to generate 2 specific Docker images, because the base images are different; they target Java Maven and Python, respectively
Proposal
Leverage the new Gemnasium architecture and add an abstraction to leverage three filesystem-based advisory databases:
Alternatively, make sure gemnasium-db contains all the advisories ruby-advisory-db and retire.js have, and that its schema is a superset of retire.js' and ruby-advisory-db's.
Dependencies
Features to be implemented in Gemnasium before it can replace bundler-audit and retire.js:
- add severity to the Security reports; see #8213 (closed)
- report JavaScript vulnerabilities based on filenames and fingerprints, respectively named
extractors
andhashes
in Retire.js - report vulnerabilities for the Ruby interpreter and its Rubygem library, like in rubysec/ruby-advisory-db; see #10588 (closed)