Automatic reporting of security vulnerabilities
References: gitlab-org/distribution/team-tasks#1 (closed)
Initially this is allowed to fail, 27 vulnerabilities are currently found
A sample run: https://gitlab.com/gitlab-org/omnibus-gitlab/-/jobs/58958502
How this works:
- A script is added that reads
version-manifest.json
file inscan-dependencies
stage - The script iterates on all dependencies and makes an api call to
CIRCL
cve-search api - Parses and formats responses using
jq
- Prints to stdout all vulnerabilities that are found
- vulnerabilities_count > 0 ? exit 1 : exit 0
Limitations: Some of the dependencies are pulled via a git commit hash (not semver), these are un-checkable via this method and so this method will return that these dependencies are safe which isn't be necessarily true these are:
- package-scripts
- config_guess
- rb-readline
- omnibus-ctl
- registry
- logrotate
- consul
- node-exporter
- redis-exporter
- postgres-exporter
- anything that is named
gitlab-*
Next steps:
- The pipeline should fail in case of any vulnerability found (after getting them to 0) or probably threshold the CVSS
- Ignore some CVEs
- Send notifications to slack
- White list a vulnerability via slack bot
Edited by 🤖 GitLab Bot 🤖