## Dependency Scanning Please see our [Direction Page](https://about.gitlab.com/direction/secure/composition-analysis/dependency-scanning/) [Video](https://www.youtube.com/watch?v=CDQXZi2PfSE) #### Target Audience [User](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#user-personas) - Primary - Sasha (Software Developer) and Secondary - Sam (Security Analyst) [Buyer](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/) - CISO ### April 2022 thoughts Because the group has been only slowly working this epic, and a large amount of time has passed, competitors and the market have continued to add new features and we have also learned more about customer use cases, as such I believe the below original objective are outdated. The current [definition of mature](https://about.gitlab.com/direction/maturity/) is "GitLab the company dogfoods it exclusively. At least 100 customers use it. CM Scorecard score at least 3.63 for the identified JTBDs when tested with external users. Suitable to migrate from existing tools." As such my revised thoughts, in order to minimally meet internal needs as well as be a choice users want to migrate to is that we need the following: - [dependency paths mvc](https://gitlab.com/groups/gitlab-org/-/epics/3843) - [dependency paths post-mvc](https://gitlab.com/groups/gitlab-org/-/epics/3858) - [linking container scanning and dependency scanning results](https://gitlab.com/gitlab-org/gitlab/-/issues/348655) (reduce noise) - search/filter dependency list (hopefully [Matt Wilson does spike first](https://gitlab.com/gitlab-org/gitlab/-/issues/352665) and [Becka finishes design](https://gitlab.com/gitlab-org/gitlab/-/issues/342079) and we can leverage that, possibly help get there and then leverage that, we may need to move to storage of things into database and since mine never got approved leverage [sam's vulns in database](https://gitlab.com/groups/gitlab-org/-/epics/2340) / [issue 2](https://gitlab.com/gitlab-org/gitlab/-/issues/357699) and build on that) - allow [pre-filtering](https://gitlab.com/gitlab-org/gitlab/-/issues/351730) (allow users to skip scanning specified directories, and not scan them don't just not report on them although than can be MVC if needed) - allow [post-filtering](https://gitlab.com/gitlab-org/gitlab/-/issues/339686) (can we augment Sam White's [Security results policies](https://docs.gitlab.com/ee/user/application_security/policies/scan-result-policies.html) or [Matt's ignore plans](https://gitlab.com/gitlab-org/gitlab/-/issues/239033) to assist here for mvc?) - allow setting which [pipline reports are picked for large customers](https://gitlab.com/gitlab-org/gitlab/-/issues/346843) - minor ux changes to dependency list as a result of [UX research](https://gitlab.com/gitlab-org/ux-research/-/issues/299) - assuming search/filter above is done - sub-heading of "software bill of materials (sbom)" - [more clear display of what pipeline](https://gitlab.com/gitlab-org/gitlab/-/issues/351793) ### OLD / Details <details><summary>click here to expand</summary> #### Challenges to address - In order | Status | Goal | Epic(s)/Issue(s) | Risk | Estimate | Notes | JTBD | | --- | ------ |---------| ------ | --------- | ------ | --------- | | ✅ | Maintain tight integration into SDLC | - | - | - | This is a very important value for our users. This is complete but we want to maintain it. When we propose new features be sure to consider if we have added it for them *within their relevant workflow* | N/A - baseline that we are one DevSecOps tool | | ✅ | Maintain offline scanning | [Offline environment](https://docs.gitlab.com/ee/user/application_security/offline_deployments/) | - | - | Maintain Dependency Scanning offline for our self-hosted users when their instance is air-gapped, offline or has limited connectivity. This just means have tests, address bugs with new features and regressions. Complete but maintain with each new feature and changes to features and keep in mind when designing. | N/A - baseline that we [are one DevSecOps]mostly] work offline | | ✅ | Cover most popular languages | [Expand Language coverage](https://gitlab.com/groups/gitlab-org/-/epics/2625) | - | - | These languages as determined by our own GitLab languages, user data, top GitHub languages, and top internet languages. | N/A - cost of doing business stay current | | ✅ Complete | Passing CMS score | [CMS Recommendations](https://gitlab.com/gitlab-org/gitlab-design/-/issues/1460#recommendations) & [UX improvements and research](https://gitlab.com/groups/gitlab-org/-/epics/2628) | ⬆️UX research not complete unknown how many things need to be fixed | %13.11 | We should have a [passing UX scorecard](https://about.gitlab.com/handbook/engineering/ux/category-maturity-scorecards/) for our primary persona's primary [Job(s) to Be Done](https://about.gitlab.com/handbook/engineering/ux/stage-group-ux-strategy/secure/#primary-jobs-to-be-done-jtbd) | One item of concern found - not being able to track where a dependency came from - will retest after [Show paths to dependencies MVC](https://gitlab.com/groups/gitlab-org/-/epics/3843) | | ✅ Complete | Easy to Enable/Disable/Configure in UI | [SCA should be easy to enable, configure and customize for projects in UI](https://gitlab.com/groups/gitlab-org/-/epics/4908) | ⬇️SAST did it so it shouldn't have too many unknowns | | - | [JTBD](https://gitlab.com/gitlab-org/gitlab/-/issues/34369) | | ✅ Complete| perform a GAP analysis of tests | [GAP](https://gitlab.com/groups/gitlab-org/-/epics/4890) | One ~Quality item open but GAP is complete | | <ul><li>Sufficient Test (Project, Unit, E2E, Regression) Coverage</li></ul> | N/A - baseline | | In Progress | Show paths to dependencies MVC | [Show paths to dependencies MVC](https://gitlab.com/groups/gitlab-org/-/epics/3843) | ⬇️ | ⏳ 11/16 | - | - | | 🛑 Blocked | Auto-Remediation: auto-create merge request | [Auto-Remediation: auto-create merge request](https://gitlab.com/groups/gitlab-org/-/epics/3188) | ⬇️ Well defined | ⏳ %"13.9" | Making the bot. | N/A - feature parity with competition (dependabot, renovatebot) | | 🛑 Blocked | Auto-Remediation - Show available solutions in Project Security Dashboard | [Auto-Remediation - Show available solutions in Project Security Dashboard](https://gitlab.com/groups/gitlab-org/-/epics/4562) | ⬇️ Well defined | ⏳ %"13.9" | Showing in dashboard | N/A - feature parity with competition (dependabot, renovatebot) | | ⚠️Not Started | Show paths to dependencies - POST MVC| [Show paths to dependencies - POST MVC](https://gitlab.com/groups/gitlab-org/-/epics/3858) | ⬇️⬆️ | ⏳ 3 releases | - | - | | ⚠️Not Started | Improve stability and reliability | [Stability, Availability, Reliability, Performance](https://gitlab.com/groups/gitlab-org/-/epics/3233) | ⬆️not started, novel | ⏳ 6 releases | <ul><li>No one wants to use a buggy product. This is in relation to uptime, size and speed, sufficient testing, and reduction of technical debt. This is not related to the findings (i.e. this is not related to decreasing the rate of false positives).</li><li>Put in place sufficient performance monitoring to detect and possibly prevent bugs/performance issues. For example: scan run time, container size, artifact size.</li><li>Dogfood</li></ul> | N/A - baseline | | ✅⚠️🛑 | Goal | []() | Note | ⬇️⬆️ | ⏳ | - | - | #### What is Not Planned Right Now - SCA / SBoM - Mobile - Scanning interpreters and system libraries (ver of java, ruby) - Ways to reduce noise (by mitigation of improbable items, reduced false positives, custom rules) - Try to overlap sast/DS/DAST (use of function/method) - Education - Industry standard mappings (mitre, etc) - Dependency trust and risk scores - Malware? - Source / reuse identification (copied from internet, sast though?) - Notifications / rescans ### Competitive Landscape - Checkmarx https://www.checkmarx.com/products/software-composition-analysis Related Epics: - [Include all Dependency Scanning tools into Gemnasium](https://gitlab.com/groups/gitlab-org/-/epics/2476) - [Bring Dependency Scanners to Core](https://gitlab.com/groups/gitlab-org/-/epics/2218) - [Bootstrap other teams' knowledge of Secure features](https://gitlab.com/groups/gitlab-org/-/epics/2066) - [Drop Gemnasium server side architecture](https://gitlab.com/groups/gitlab-org/-/epics/1914) - [Expose CVSS Details in Secure scanners](https://gitlab.com/groups/gitlab-org/-/epics/1861) - [Remove the Docker-in-Docker requirement for secure categories and features](https://gitlab.com/groups/gitlab-org/-/epics/2263) [SCA Priorities 2020](https://gitlab.com/gitlab-org/secure/general/-/issues/65) [Dependency Scanning - Complete to Loveable](https://gitlab.com/groups/gitlab-org/-/epics/2725) <details>