<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=551477) </details> <!--IssueSummary end--> # Summary In https://gitlab.com/groups/gitlab-org/-/epics/17976+ gitlab~10690742 will be creating vulnerabilities when malicious packages are identified during a Dependency scan. These vulnerabilities will be displayed to users on the Vulnerability report. Taking this functionality a step further, users will want to create policies around these malicious packages to block their usage or apply some sort of rule set to define their usage within projects. # Problem Statement In the initial beta release we will allow users to define policy based on Severity (default to Critical when a vulnerability is created). Within the scope of this issue, we will provide additional capability to define or tune a policy that blocks specifically based on the presence of a malicious package detected in scan results. This would extend beyond solely blocking based on a malicious package finding being considered "Critical", but that malicious packages could be treated with higher severity or more nuanced criticality, ensuring action is taken immediately. This is especially important when triaging and actioning vulnerabilities as malicious packages by their nature have malicious intent. Other vulnerabilities classed as "Critical" may manifest as a code exploit being introduced that _may_ or may not be exploited. Malicious packages inherently assume exploit has already begun and there's additional immediacy required. ## :briefcase: Business Justification See [details](https://gitlab.com/groups/gitlab-org/-/epics/19465#note_2963683659). # :chart_with_upwards_trend: Target Metrics 1. Increased adoption of MR approval policies. 2. \[Prospective\] Increase in adoption of SSCS add-on. # MVC Proposal 1. Include a new `Malware rule` in the MR approval policy to filter based on if a finding `Is Malicious` , available in the relevant scan types (Dependency Scanning and Container Scanning). 1. When `Is Malicious = True` , meaning when Malware is detected, it is considered a violation every time. 2. This will be treated as an `OR` condition compared to other rules. Anytime malware is detected, it is critical and a violation. 3. Example: Users may choose to Block if `Is Malicious = True` OR if `Severity = Critical` for Dependency Scanning or Container Scanning. 2. Update workflow to ensure the `Malware rule` options are recommended by default. 3. Ensure it's clear to new and existing users that the new `Malware rule` is now available. 4. Make it clear that use of the `Malware rule` is applied only to Dependency Scanning and Container Scanning findings. 5. Account for workflows related to enabling the Dependency Firewall. The Malware Rule would be available to Ultimate users who also have Dependency Firewall activated. 6. Once enabled, Malicious packages identified by MAL prefix (vs CVE identifiers for vulnerabilities) will be detected by the MR approval policy (alongside other scan finding rules for CVE, CWE) and displayed in the bot comments in the MR as violations. * Container scanning can detect malicious packages OR malicious container images. * Both scenarios covered by simple “is malicious” boolean check. 7. Users may choose the Warn or Block (Require approvers) actions to use with the `Malware rule`. ## Design Concept | New Malware Rule Per Relevant Scanner | Irrelevant Scans selected | |---------------------------------------|---------------------------| | {width="321" height="600"} | {width="425" height="600"} | | Existing Policy/Rules when Dependency Firewall is Activated | Dependency Firewall Deactivated | |-------------------------------------------------------------|---------------------------------| | {width="418" height="600"} | {width="565" height="600"} |