Back-port Gemnasium 2.x to GitLab 11.6
Summary
In the context of #14630 (closed), it's necessary to back-port Gemnasium 2.x to GitLab 11.6.
See #33321 (closed) for back-porting Gemnasium 2 to older version of Dependency Scanning, from 10.7 up to 11.5.
Further details
Dependency Scanning (DS) 11.6 is a Go project that generates a v1 report, which is a list of vulnerabilities (JSON array). It uses v1 Docker images, like gemnasium:1
or bundler-audit:1
. The easiest way to back-port is to make DS 11.6 use the version 2 of the common library, and convert the generated reports to the v1 format.
The job definition is similar used in GitLab 11.5, except for the introduction of artifact reports. See GitLab 11.6 documentation.
Implementation plan
-
create QA branches dep-scan-11-6-stable
in all supported test projects -
make v2 of common/orchestrator capable of generating a v1 report, release new v2 version -
make dependency-scanning use common/v2 (and thus v2 Docker images) to generate v1 report - update the CI config
-
make it build, test, and tag the image -
trigger the pipeline of the test projects, using the dep-scan-11-6-stable
branches -
generate dependency-scanning:11-6-stable
-
Improvements
- User benefit from latest vulnerabilities published on gemnasium-db.
- The Gemnasium Server can be shut off.
- There's single source of truth: gemnasium-db.
Testing
To run QA for Dependency Scanning (DS) 11.6, simply trigger a pipeline for the dep-scan-11-6-stable
branch. To run non-regression tests, run the same pipeline and set DS_VERSION
to the tag of the dependency-scanning
Docker image to be tested.
Risks
- Broken CI
dependency_scanning
jobs on all versions of GitLab. - Broken Security widgets because the output format has changed.
Involved components
https://gitlab.com/gitlab-org/security-products/dependency-scanning/
Optional: Intended side effects
- GitLab 11.6 supports projects not previously supported, resulting in a behavior change.
- v1 Docker images like
gemnasium:1
can be dropped.
Optional: Missing test coverage
Ideally this should be tested with GitLab 11.6 (full E2E integration tests) but the plan is to only check the generated reports.