Make tests projects more deterministic by pinning the gemnasium-db vulnerability database
Problem to solve
Some of our tests projects QA pipeline are often failing due to the vulnerability database being updated and containing new vulnerabilities for these projects.
Intended users
devopssecure team members
Further details
Proposal
For analysis types that leverage an external database (meaning: independent from the tool itself), we should find a way to pin this database to a given version to ensure we won't get annoyed by regular additions of new vulnerabilities.
This also means we need to introduce an update process to periodically bump that DB to a more recent version (monthly, bi-monthly, quarterly?)
Permissions and Security
Documentation
-
Document the pinning and update process in the test/common guidelines https://gitlab.com/gitlab-org/security-products/tests/common
Testing
What does success look like, and how can we measure that?
Testing should be more stable with less frequent need to update product or analyzer expectations.
Links / references
Edited by Can Eldem