Support air-gapped (offline) Dependency Scanning for JavaScript (npm, yarn) through retire.js analyzer
Problem to solve
Some users need to run our security scans in limited connectivity environments. Currently our retire.js analyzer requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.
Intended users
Further details
Proposal
We have to change analyze.go and set --js-advisory-db
and --node-advisory-db
to the local paths of the "repositories". See option definition and repository loading.
Implementation Plan
Backend
-
add analyzer variables RETIREJS_NODE_ADVISORY_DB
andRETIREJS_JS_ADVISORY_DB
to dependency scanning template -
update analyzer to pass these vars to retirejs
if present at runtime -
document these variables and how to use them (note both vars are necessary to ensure retirejs doesn't make remote calls) -
add test to js-yarn project to demonstrate usage of new RETIREJS_NODE_ADVISORY_DB
andRETIREJS_JS_ADVISORY_DB
variables
Permissions and Security
Documentation
-
Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.Outside of the scope of this issue - documentation to be handled in a separate issue Document air-gapped (offline) Dependency Scanning for on-prem instances
Testing
TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 (closed) and try to reuse it across all similar issues as much as possible. Outside of the scope of this issue - air-gap testing for dependency scanning will be described as part of Document air-gapped (offline) Dependency Scanning for on-prem instances
In order to test only the retire.js scanner in an air-gapped environment, follow these steps:
- Pull the latest version of the GitLab retire.js analyzer
docker pull registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
- Change to the directory of the js project you want to scan
- Download the following Retire.js vulnerability data files to the root of your js project:
- Run
yarn
ornpm i
on your project to populate thenode_modules
directory in your js project - Unplug your internet connection
- Run the analyzer and reference the above files:
docker run \ -e RETIREJS_JS_ADVISORY_DB="jsrepository.json" \ -e RETIREJS_NODE_ADVISORY_DB="npmrepository.json" \ -e CI_PROJECT_DIR="/code" \ --volume "$PWD:/code" \ --volume /var/run/docker.sock:/var/run/docker.sock \ registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
-
gl-dependency-scanning-report.json
file should be produced
What does success look like, and how can we measure that?
Retire.js analyzer is able to scan a project in an air-gapped environment.
What is the type of buyer?
Links / references
Action Items
Product
- We will not include a release post until the Epic is complete.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.