Support air-gapped (offline) Dependency Scanning for JavaScript (npm, yarn) through retire.js analyzer

Problem to solve

Some users need to run our security scans in limited connectivity environments. Currently our retire.js analyzer requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Devon (DevOps Engineer)

Further details

Proposal

We have to change analyze.go and set --js-advisory-db and --node-advisory-db to the local paths of the "repositories". See option definition and repository loading.

Implementation Plan

Backend

• add analyzer variables RETIREJS_NODE_ADVISORY_DB and RETIREJS_JS_ADVISORY_DB to dependency scanning template
  • !26463 (merged)
• update analyzer to pass these vars to retirejs if present at runtime
  • gitlab-org/security-products/analyzers/retire.js!28 (merged)
• document these variables and how to use them (note both vars are necessary to ensure retirejs doesn't make remote calls)
  • !25883 (merged)
• add test to js-yarn project to demonstrate usage of new RETIREJS_NODE_ADVISORY_DB and RETIREJS_JS_ADVISORY_DB variables
  • gitlab-org/security-products/tests/js-yarn!34 (merged)

Permissions and Security

Documentation

• Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up. Outside of the scope of this issue - documentation to be handled in a separate issue Document air-gapped (offline) Dependency Scanning for on-prem instances

Testing

TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 (closed) and try to reuse it across all similar issues as much as possible. Outside of the scope of this issue - air-gap testing for dependency scanning will be described as part of Document air-gapped (offline) Dependency Scanning for on-prem instances

In order to test only the retire.js scanner in an air-gapped environment, follow these steps:

1. Pull the latest version of the GitLab retire.js analyzer

   docker pull registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2

2. Change to the directory of the js project you want to scan
3. Download the following Retire.js vulnerability data files to the root of your js project:
   • jsrepository.json
   • npmrepository.json
4. Run yarn or npm i on your project to populate the node_modules directory in your js project
5. Unplug your internet connection
6. Run the analyzer and reference the above files:

   docker run \
     -e RETIREJS_JS_ADVISORY_DB="jsrepository.json" \
     -e RETIREJS_NODE_ADVISORY_DB="npmrepository.json" \
     -e CI_PROJECT_DIR="/code" \
     --volume "$PWD:/code" \
     --volume /var/run/docker.sock:/var/run/docker.sock \
     registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2

7. gl-dependency-scanning-report.json file should be produced

What does success look like, and how can we measure that?

Retire.js analyzer is able to scan a project in an air-gapped environment.

What is the type of buyer?

GitLab Ultimate

Links / references

Action Items

Product

• We will not include a release post until the Epic is complete.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.