Air-gapped (offline) support for bundler-audit analyzer (Dependency Scanning)
Problem to solve
Our bundler-audit analyzer currently requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.
Intended users
Further details
Proposal
The gem already includes a clone of rubysec/ruby-advisory-db, see bundler-audit.gemspec. We have to change analyze.go and remove the --update
option. See README and update! function.
Implementation plan
Backend
-
Update bundler-audit analyzer to use the BUNDLER_AUDIT_NO_UPDATE
(to be defined) env variable (or cli flag) to toggle the corresponding--update
flag on the bundler-audit cli. -
Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer
@NicoleSchwartz
Product Management --
NO Release Post - epic must first be complete
Permissions and Security
Documentation
-
Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS like we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings -
Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.
Testing
TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 (closed) and try to reuse it across all similar issues as much as possible.
What does success look like, and how can we measure that?
Bundler-Audit analyzer is able to scan a project in an air-gapped environment.
What is the type of buyer?
Links / references
Edited by Igor Frenkel