## DRI @Joey_Khabie ## Summary With the acquisition of Oxeye we have identified that their Static Reachability (Smart SCA) feature is a prime candidate for integration into<span dir=""> </span>the ~"group::composition analysis" Dependency Scanning tool. This epic will be focused on implementing the existing Oxeye functionality for Static Reachability for Java and Python as a part of Dependency Scanning. There will be follow on work in a separate epic to expand Static Reachability for other languages. ### Problem to solve Users of any SCA tool are often plagued with alert fatigue. Scanners return a great deal of information on dependencies, licenses, and vulnerabilities. Notably with vulnerabilities there is a constant influx of newly identified CVEs. This causes pain for our users as they lack an effective tool to make a determination as to which vulnerability is the most important to remediate in the short-term to keep their software safe. ### Definition of done * Users are able to run a Dependency Scan and receive enriched data with Static Reachability information * In this MVC Epic we will only expose the data via API (in a new field). In a follow on epic when this becomes GA we will expose a reachability indicator in the GitLab UI * Users should be able to see a Reachability Indicator in the GraphQL API * Users should not need to be a SAST user in order to use Static Reachability * I know that the Oxeye `Adv SAST` outputs SCA results by default. We do not want this workflow; SCA and SAST should be decoupled. ### Why Static Reachability? The data generated from performing Static Reachability provides deeper insights into the packages in use and then matching those packages to vulnerabilities. This allows our users to better understand the risk profile of their projects and make more informed remediation decisions. See [documentation](https://gitlab.com/gitlab-org/security-products/docs/-/tree/main/smart-sca?ref_type=heads) for technical insight. ### Intended users Personas are described at https://about.gitlab.com/handbook/product/personas/ * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead) * [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer) # Status | Task | Assignee | Status | |------|----------|--------| | [Make sure we are not losing data using GLAS](https://gitlab.com/gitlab-org/gitlab/-/work_items/469652 "validate Adv-SAST's SCA results to be subset of Gemnasium results") | @Joey_Khabie | Done | | [Add Static reachability to Gemnasium CycloneDX result](https://gitlab.com/gitlab-org/gitlab/-/issues/473784 "Modifications to Sbom reports - with Static reachability data") | @Joey_Khabie | Done | | [Add GLAS to Gemnasium CI as a step](https://gitlab.com/gitlab-org/gitlab/-/issues/475017 "Add Advanced SAST with SCA enabled to Gemnasium CI") | @nsokolik | Done | | [Remove SCA code from Lightz-aio](https://gitlab.com/gitlab-org/gitlab/-/issues/479788 "Change the sca flag of lightz-aio not to run SCA finders and output a sarif") | @nsokolik | Done | | [Build tool for correlate the imported dependencies with the installed module](https://gitlab.com/gitlab-org/gitlab/-/issues/479791 "Build tool for correlate the imported dependencies with the installed module") | @Joey_Khabie | Done | | [Post-analyzing script for correlation between GLAS results and Gemnasium results .](https://gitlab.com/gitlab-org/gitlab/-/issues/477150 "Correlation Script between GLAS sca results and Gemnasium cyclondeDX results") | @Joey_Khabie + @nsokolik | Done | | [DB Modification - Digest static reachability data](https://gitlab.com/gitlab-org/gitlab/-/issues/473792 "Discussion: DB Modifications - Where to save static reachability data.") | @Joey_Khabie | Done | | [Monolith - Digest & Save reachability data for each package - by customer project .](https://gitlab.com/gitlab-org/gitlab/-/issues/480627 "Digest & Save reachability data for each package - by customer project") | @ysiev | Done | | [Add Documentation for Static Reachability feature](https://gitlab.com/gitlab-org/gitlab/-/issues/480628 "Add Documentation for Static Reachability Feature") | @Joey_Khabie + @nsokolik | Done | | [Fetch reachability data via GraphQL API](https://gitlab.com/gitlab-org/gitlab/-/issues/482626 "Fetch Reachability data via GraphQL API") | @Joey_Khabie | Done | * This table will keep update a long side with our progression .