Bug found and resolved in Dependency Scanning

Nicole Schwartz ·
Feb 19, 2021 · 2 min read

Dependency Scanning relies on the GitLab Vulnerability Database (called gemnasium-db) to provide it with the latest advisory data (i.e. CVEs). Dependency Scanning docker images are built and released with the latest version of the database and in addition, the analyzers update this database to the latest version at the time of a scan.

However, starting with version 2.8.1 of the Dependency Scanning analyzer called gemnasium, the vulnerability database was not updating itself at scan time. Versions between v2.8.1 (released 2020-03-30) and v2.28.0 (released 2021-02-03) are affected by this bug. As a result, since the introduction of the bug, scan results would only be able to identify advisories published on or before the analyzer image release date. In some cases this meant that the advisories' Dependency Scanning analyzers were outdated by several weeks (relying only on the database checked out at image build time).

We are concerned that this bug made it out to customers and are performing a root cause analysis.

Most customers will receive the bug fix automatically and will have the latest advisory database the next time their Dependency Scanning jobs run. But customers with their own copy of the GitLab container registry or dedicated runners with a docker pull-policy other than always, must take the manual action to pull or update your pin to the latest image (or at least one that is not impacted by this bug). Users that must take this manual action are:

The three analyzer types that are affected are the gemnasium analyzer, the gemnasium-python and gemnasium-maven analyzer. The affected versions of each are:

TL;DR - If you are using Dependency Scanning analyzers and are not always pulling their docker images from GitLab's docker container registry, please update your analyzers' docker images promptly in order to sync the analyzers with the latest available advisories.

“” – Nicole Schwartz

Click to tweet

Edit this page View source