Air-gapped (offline) support for bundler-audit analyzer (Dependency Scanning)

Problem to solve

Our bundler-audit analyzer currently requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)

Further details

Proposal

The gem already includes a clone of rubysec/ruby-advisory-db, see bundler-audit.gemspec. We have to change analyze.go and remove the --update option. See README and update! function.

Implementation plan

Backend

1. Update bundler-audit analyzer to use the BUNDLER_AUDIT_NO_UPDATE (to be defined) env variable (or cli flag) to toggle the corresponding --update flag on the bundler-audit cli.
2. Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer

Product Management - @NicoleSchwartz

• NO Release Post - epic must first be complete

Permissions and Security

Documentation

• Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS like we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings
• Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.

Testing

TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 (closed) and try to reuse it across all similar issues as much as possible.

What does success look like, and how can we measure that?

Bundler-Audit analyzer is able to scan a project in an air-gapped environment.

What is the type of buyer?

GitLab Ultimate

Links / references