Automatic reporting of security vulnerabilities

References: gitlab-org/distribution/team-tasks#1 (closed)

Initially this is allowed to fail, 27 vulnerabilities are currently found

A sample run: https://gitlab.com/gitlab-org/omnibus-gitlab/-/jobs/58958502

How this works:

1. A script is added that reads version-manifest.json file in scan-dependencies stage
2. The script iterates on all dependencies and makes an api call to CIRCL cve-search api
3. Parses and formats responses using jq
4. Prints to stdout all vulnerabilities that are found
5. vulnerabilities_count > 0 ? exit 1 : exit 0

Limitations: Some of the dependencies are pulled via a git commit hash (not semver), these are un-checkable via this method and so this method will return that these dependencies are safe which isn't be necessarily true these are:

• package-scripts
• config_guess
• rb-readline
• omnibus-ctl
• registry
• logrotate
• consul
• node-exporter
• redis-exporter
• postgres-exporter
• anything that is named gitlab-*

Next steps:

1. The pipeline should fail in case of any vulnerability found (after getting them to 0) or probably threshold the CVSS
2. Ignore some CVEs
3. Send notifications to slack
4. White list a vulnerability via slack bot

cc: @gitlab-org/distribution