Engineering discovery for auto remediate MVC
The goal of this issue is to have specs defined and the implementation details that will allow to implement https://gitlab.com/gitlab-org/gitlab-ee/issues/5656.
Nothing will be shipped as part of the product when this issue will be closed.
Goal
When dependency scanning finds a vulnerable dependency, it may report also a solution. For example, bumping the dependency version to a newer one. We already have this information available, but we are still not able to leverage it in an automated way.
We will start by focusing on a specific package manager, but we should try to find a generic approach that can be extended to other package managers as well.
Once we can access this information automatically, we should create a new branch and commit the needed changes. For example, a modified Gemfile.lock
to change the version information.
A merge request is then required to merge the automatically created branch in the original branch, since we don't want to alter the original branch directly.
The technical steps are:
- fetch the suggested solution from the vulnerability information
- parse the solution to extract the action to take (e.g., update to version N)
- map the solution to a sequence of changes that are able to fix the problem (e.g., search & replace in a file)
- create a new branch in the repository
- commit the new version of the version file (e.g.,
Gemfile.lock
) to the new branch - create a merge request to merge the modified version into the original branch
What we need to figure out:
-
Which package manager we want to address first -
How to understand if a vulnerability is eligible for remediation (metadata?) -
How to parse the solution to extract the actions (regex? tokens?) -
How to create the modified files (running a tool requires a runtime environment, but could be more maintainable) -
How to interact with the repository (create branch, commit new code, create a MR)