Skip to content

GitLab Next

D
Dependency Scanning
Commit f85a6fa4 authored by Fabien Catteau's avatar Fabien Catteau
Browse files
Options

Add DS_EXCLUDED_PATHS option

parent 12d976b4
Hide whitespace changes
Inline Side-by-side
Showing with 328 additions and 11 deletions
.gitlab-ci.yml
View file @ f85a6fa4
......@@ -15,7 +15,7 @@ stages:
- deploy
.go:
image: golang:1.11.3
image: golang:1.11.5
stage: go
variables:
GO111MODULE: "on"
......
CHANGELOG.md
View file @ f85a6fa4
# GitLab Dependency Scanning changelog
## v2.2.0
- Add `DS_EXCLUDED_PATHS` option to exclude paths from report.
## v2.1.3
- Fix unstable vulnerabilities ordering
......
README.md
View file @ f85a6fa4
......@@ -52,6 +52,15 @@ Read more about [customizing analyzers](./docs/analyzers.md#custom-analyzers).
| DS_DISABLE_REMOTE_CHECKS | Do not send any data to GitLab (Used in the dependency version checker, see below) |
| DEP_SCAN_DISABLE_REMOTE_CHECKS | Deprecated. Renamed to `DS_DISABLE_REMOTE_CHECKS ` |
### Vulnerability filters
| Environment variable | Default | Function |
|-----------------------|-----------|----------|
| DS_EXCLUDED_PATHS | | Exclude vulnerabilities from output based on the paths. |
`DS_EXCLUDED_PATHS` is a comma-separated list of patterns.
Patterns can be globs, file or folder paths. Parent directories will also match patterns.
### Timeouts
| Environment variable | Function |
......
go.sum
View file @ f85a6fa4
......@@ -4,8 +4,9 @@ github.com/bbrks/wrap v2.3.0+incompatible h1:9ebLuiUC/fBSu6OeOdD6XG8WRjf3G+wSJO1
github.com/bbrks/wrap v2.3.0+incompatible/go.mod h1:rc//8Fguf02+4sm0fBMyG1TrAaEhe6VTYM35MY10oO4=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/docker/distribution v2.7.0-rc.0.0.20181002220433-1cb4180b1a5b+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/distribution v2.7.0+incompatible h1:neUDAlf3wX6Ml4HdqTrbcOHXtfRN0TFIwt6YFL7N9RU=
github.com/docker/distribution v2.7.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v0.7.3-0.20181024032540-785fe99bdb7c h1:/FCO5gfXuQbf+e8uHolv1vEFYSe0KcKPqLuOxhP32gY=
github.com/docker/docker v0.7.3-0.20181024032540-785fe99bdb7c h1:dUYleQVLN8tIu4DaDT22I4F38Dti/bmEtY6ceXaVcQ0=
github.com/docker/docker v0.7.3-0.20181024032540-785fe99bdb7c/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
......@@ -25,18 +26,20 @@ github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
gitlab.com/gitlab-org/security-products/analyzers/bundler-audit/v2 v2.0.0 h1:e67JlaTbZIRFtOgKCKv7xzmX29zSWukszDfOVL1r798=
gitlab.com/gitlab-org/security-products/analyzers/bundler-audit/v2 v2.0.0/go.mod h1:riRNj89SvGh+yRwJRF6X5RN0MEugFWxGSCYnYVDO1X0=
gitlab.com/gitlab-org/security-products/analyzers/common/orchestrator/v2 v2.0.0-20190130152733-9f0ad391d73c h1:1A+6eeFHoeD6r6mSuseGkGmmqgwDDIj6hRVSPDXxmdM=
gitlab.com/gitlab-org/security-products/analyzers/common/orchestrator/v2 v2.0.0-20190130152733-9f0ad391d73c/go.mod h1:bZOYlVG19cY5bARMOQXo9Vz3Yb6Amv2J1IqxH0+8CiU=
gitlab.com/gitlab-org/security-products/analyzers/common/table/v2 v2.0.0-20190130152733-9f0ad391d73c h1:5SXA//6Q0DZbAE8AvVegJVYGLBMiYaXM9FechB1pfMk=
gitlab.com/gitlab-org/security-products/analyzers/common/table/v2 v2.0.0-20190130152733-9f0ad391d73c/go.mod h1:GLZoQECSPhmrplEqt6QsNBD0xZSORk6ifKOAFT6AHXs=
gitlab.com/gitlab-org/security-products/analyzers/common/orchestrator/v2 v2.3.0-0.20190503000000-a0bcd4b7c5b9c53fac77dd5a49cd2f9b15a7670d h1:4A8uhCMNR7vuGP9Y8jjzzABmILqFhfuuJDfb1+T7+Uo=
gitlab.com/gitlab-org/security-products/analyzers/common/orchestrator/v2 v2.3.0-0.20190503000000-a0bcd4b7c5b9c53fac77dd5a49cd2f9b15a7670d/go.mod h1:bZOYlVG19cY5bARMOQXo9Vz3Yb6Amv2J1IqxH0+8CiU=
gitlab.com/gitlab-org/security-products/analyzers/common/table/v2 v2.3.0-0.20190503000000-a0bcd4b7c5b9c53fac77dd5a49cd2f9b15a7670d h1:PLXE66VMoWZ9dLZDbxbRURNPWEigOQ7Rt0HZtkWXbkg=
gitlab.com/gitlab-org/security-products/analyzers/common/table/v2 v2.3.0-0.20190503000000-a0bcd4b7c5b9c53fac77dd5a49cd2f9b15a7670d/go.mod h1:GLZoQECSPhmrplEqt6QsNBD0xZSORk6ifKOAFT6AHXs=
gitlab.com/gitlab-org/security-products/analyzers/common/v2 v2.0.0/go.mod h1:k+W8TS8696BIs1hhnVGbJbAaAXjvUkVAixhxUOV+KVs=
gitlab.com/gitlab-org/security-products/analyzers/common/v2 v2.1.3 h1:OkoYaTkZj0ag1P8HsYHB1cHUBzo+FBHFmt/Lz6aNry8=
gitlab.com/gitlab-org/security-products/analyzers/common/v2 v2.1.3/go.mod h1:k+W8TS8696BIs1hhnVGbJbAaAXjvUkVAixhxUOV+KVs=
gitlab.com/gitlab-org/security-products/analyzers/common/v2 v2.3.0 h1:wf7T6DghGX2eSaPazCfuTzVFCULpp6D4Bc5vcu9AHxA=
gitlab.com/gitlab-org/security-products/analyzers/common/v2 v2.3.0/go.mod h1:k+W8TS8696BIs1hhnVGbJbAaAXjvUkVAixhxUOV+KVs=
gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/v2 v2.0.0 h1:IT9LvtaDv4+LHaA4NP0CCpSjKpqy2G8hplheK0153Mc=
gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/v2 v2.0.0/go.mod h1:uW/Z7McxFVRnbnRq8Qt44Nt9hGqIWWQqHGoZq8+W1JU=
gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/v2 v2.0.0 h1:d4QYwrljfeHd4zQxzzGzxtMLiqtHoNwEhw+rvDFB8To=
gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/v2 v2.0.0/go.mod h1:TK9G8k07bOlILoxER9EWsyJGjK2YVhBJ6rI+qx+1kgc=
gitlab.com/gitlab-org/security-products/analyzers/gemnasium/v2 v2.0.0 h1:zk4h/HFAD+Dwr4/xlLWtZQzktDxu8ewtvruUSc3d5Vg=
gitlab.com/gitlab-org/security-products/analyzers/gemnasium/v2 v2.0.0/go.mod h1:DsM5PH5y44QGDuYcZ7/ULClTOi0olf7+jip1yoKY84k=
gitlab.com/gitlab-org/security-products/analyzers/retire.js/v2 v2.0.0 h1:s5ZPnThgEa0QRvjD8bMSEVWloJh66+d9QggvLtaIzc8=
gitlab.com/gitlab-org/security-products/analyzers/retire.js/v2 v2.0.0/go.mod h1:jPSCkuOEDdgv1F4VtmiRbMQBxavDFQ/D9xQM9wjTi6c=
golang.org/x/net v0.0.0-20181207154023-610586996380 h1:zPQexyRtNYBc7bcHmehl1dH6TB3qn8zytv8cBGLDNY0=
golang.org/x/net v0.0.0-20181207154023-610586996380/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
......
test.sh
View file @ f85a6fa4
......@@ -11,6 +11,7 @@ expect="test/expect/gl-dependency-scanning-report.json"
export DS_DEFAULT_ANALYZERS=${DS_DEFAULT_ANALYZERS:-"bundler-audit,retire.js,gemnasium"}
export DS_ANALYZER_IMAGE_TAG=${DS_ANALYZER_IMAGE_TAG:-"2"}
export DS_EXCLUDED_PATHS="ignored,*-excluded"
# Project found, artifact generated (bind mount)
desc="Generate expected artifact (bind mount, pull images)"
......
test/expect/gl-dependency-scanning-report.json
View file @ f85a6fa4
......@@ -330,6 +330,39 @@
}
]
},
{
"category": "dependency_scanning",
"message": "Nokogiri gem, via libxslt, is affected by improper access control vulnerability",
"cve": "sast-sample-rails/Gemfile.lock:nokogiri:cve:CVE-2019-11068",
"severity": "Unknown",
"solution": "upgrade to \u003e= 1.10.3",
"scanner": {
"id": "bundler_audit",
"name": "bundler-audit"
},
"location": {
"file": "sast-sample-rails/Gemfile.lock",
"dependency": {
"package": {
"name": "nokogiri"
},
"version": "1.8.1"
}
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-11068",
"value": "CVE-2019-11068",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068"
}
],
"links": [
{
"url": "https://github.com/sparklemotion/nokogiri/issues/1892"
}
]
},
{
"category": "dependency_scanning",
"message": "Possible XSS vulnerability in Rack",
......
test/expect/gl-dependency-scanning-report.no-remote-checks.json
View file @ f85a6fa4
......@@ -330,6 +330,39 @@
}
]
},
{
"category": "dependency_scanning",
"message": "Nokogiri gem, via libxslt, is affected by improper access control vulnerability",
"cve": "sast-sample-rails/Gemfile.lock:nokogiri:cve:CVE-2019-11068",
"severity": "Unknown",
"solution": "upgrade to \u003e= 1.10.3",
"scanner": {
"id": "bundler_audit",
"name": "bundler-audit"
},
"location": {
"file": "sast-sample-rails/Gemfile.lock",
"dependency": {
"package": {
"name": "nokogiri"
},
"version": "1.8.1"
}
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2019-11068",
"value": "CVE-2019-11068",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068"
}
],
"links": [
{
"url": "https://github.com/sparklemotion/nokogiri/issues/1892"
}
]
},
{
"category": "dependency_scanning",
"message": "Possible XSS vulnerability in Rack",
......
test/fixtures/sast-sample-rails-excluded/Gemfile 0 → 100644
View file @ f85a6fa4
source 'https://rubygems.org'
git_source(:github) do |repo_name|
repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
"https://github.com/#{repo_name}.git"
end
# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
gem 'rails', '~> 5.0.5'
# Use sqlite3 as the database for Active Record
gem 'sqlite3'
# Use Puma as the app server
gem 'puma', '~> 3.0'
# Use SCSS for stylesheets
gem 'sass-rails', '~> 5.0'
# Use Uglifier as compressor for JavaScript assets
gem 'uglifier', '2.3.2'
# Use CoffeeScript for .coffee assets and views
gem 'coffee-rails', '~> 4.2'
# See https://github.com/rails/execjs#readme for more supported runtimes
# gem 'therubyracer', platforms: :ruby
# Use jquery as the JavaScript library
gem 'jquery-rails'
# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
gem 'turbolinks', '~> 5'
# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
gem 'jbuilder', '~> 2.5'
# Use Redis adapter to run Action Cable in production
# gem 'redis', '~> 3.0'
# Use ActiveModel has_secure_password
# gem 'bcrypt', '~> 3.1.7'
# Use Capistrano for deployment
# gem 'capistrano-rails', group: :development
group :development, :test do
# Call 'byebug' anywhere in the code to stop execution and get a debugger console
gem 'byebug', platform: :mri
end
group :development do
# Access an IRB console on exception pages or by using <%= console %> anywhere in the code.
gem 'web-console', '>= 3.3.0'
gem 'listen', '~> 3.0.5'
# Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
gem 'spring'
gem 'spring-watcher-listen', '~> 2.0.0'
end
# Windows does not include zoneinfo files, so bundle the tzinfo-data gem
gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
test/fixtures/sast-sample-rails-excluded/Gemfile.lock 0 → 100644
View file @ f85a6fa4
GEM
remote: https://rubygems.org/
specs:
actioncable (5.0.6)
actionpack (= 5.0.6)
nio4r (>= 1.2, < 3.0)
websocket-driver (~> 0.6.1)
actionmailer (5.0.6)
actionpack (= 5.0.6)
actionview (= 5.0.6)
activejob (= 5.0.6)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (5.0.6)
actionview (= 5.0.6)
activesupport (= 5.0.6)
rack (~> 2.0)
rack-test (~> 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
actionview (5.0.6)
activesupport (= 5.0.6)
builder (~> 3.1)
erubis (~> 2.7.0)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
activejob (5.0.6)
activesupport (= 5.0.6)
globalid (>= 0.3.6)
activemodel (5.0.6)
activesupport (= 5.0.6)
activerecord (5.0.6)
activemodel (= 5.0.6)
activesupport (= 5.0.6)
arel (~> 7.0)
activesupport (5.0.6)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (~> 0.7)
minitest (~> 5.1)
tzinfo (~> 1.1)
arel (7.1.4)
bindex (0.5.0)
builder (3.2.3)
byebug (9.1.0)
coffee-rails (4.2.2)
coffee-script (>= 2.2.0)
railties (>= 4.0.0)
coffee-script (2.4.1)
coffee-script-source
execjs
coffee-script-source (1.12.2)
concurrent-ruby (1.0.5)
crass (1.0.2)
erubis (2.7.0)
execjs (2.7.0)
ffi (1.9.18)
globalid (0.4.0)
activesupport (>= 4.2.0)
i18n (0.8.6)
jbuilder (2.7.0)
activesupport (>= 4.2.0)
multi_json (>= 1.2)
jquery-rails (4.3.1)
rails-dom-testing (>= 1, < 3)
railties (>= 4.2.0)
thor (>= 0.14, < 2.0)
json (2.1.0)
listen (3.0.8)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
loofah (2.1.1)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
mail (2.6.6)
mime-types (>= 1.16, < 4)
method_source (0.9.0)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.3.0)
minitest (5.10.3)
multi_json (1.12.2)
nio4r (2.1.0)
nokogiri (1.8.1)
mini_portile2 (~> 2.3.0)
puma (3.10.0)
rack (2.0.3)
rack-test (0.6.3)
rack (>= 1.0)
rails (5.0.6)
actioncable (= 5.0.6)
actionmailer (= 5.0.6)
actionpack (= 5.0.6)
actionview (= 5.0.6)
activejob (= 5.0.6)
activemodel (= 5.0.6)
activerecord (= 5.0.6)
activesupport (= 5.0.6)
bundler (>= 1.3.0)
railties (= 5.0.6)
sprockets-rails (>= 2.0.0)
rails-dom-testing (2.0.3)
activesupport (>= 4.2.0)
nokogiri (>= 1.6)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
railties (5.0.6)
actionpack (= 5.0.6)
activesupport (= 5.0.6)
method_source
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.1.0)
rb-fsevent (0.10.2)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
sass (3.5.2)
sass-listen (~> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
sass-rails (5.0.6)
railties (>= 4.0.0, < 6)
sass (~> 3.1)
sprockets (>= 2.8, < 4.0)
sprockets-rails (>= 2.0, < 4.0)
tilt (>= 1.1, < 3)
spring (2.0.2)
activesupport (>= 4.2)
spring-watcher-listen (2.0.1)
listen (>= 2.7, < 4.0)
spring (>= 1.2, < 3.0)
sprockets (3.7.1)
concurrent-ruby (~> 1.0)
rack (> 1, < 3)
sprockets-rails (3.2.1)
actionpack (>= 4.0)
activesupport (>= 4.0)
sprockets (>= 3.0.0)
sqlite3 (1.3.13)
thor (0.20.0)
thread_safe (0.3.6)
tilt (2.0.8)
turbolinks (5.0.1)
turbolinks-source (~> 5)
turbolinks-source (5.0.3)
tzinfo (1.2.3)
thread_safe (~> 0.1)
uglifier (2.3.2)
execjs (>= 0.3.0)
json (>= 1.8.0)
web-console (3.5.1)
actionview (>= 5.0)
activemodel (>= 5.0)
bindex (>= 0.4.0)
railties (>= 5.0)
websocket-driver (0.6.5)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.2)
PLATFORMS
ruby
DEPENDENCIES
byebug
coffee-rails (~> 4.2)
jbuilder (~> 2.5)
jquery-rails
listen (~> 3.0.5)
puma (~> 3.0)
rails (~> 5.0.5)
sass-rails (~> 5.0)
spring
spring-watcher-listen (~> 2.0.0)
sqlite3
turbolinks (~> 5)
tzinfo-data
uglifier (= 2.3.2)
web-console (>= 3.3.0)
BUNDLED WITH
1.15.3
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment