GitLab provides a Dependency Scanning feature that can automatically detect vulnerabilities in your software dependencies. Dependency Scanning covers various programming languages and relies on the GitLab Advisory Database, that is updated on a periodic basis by the Vulnerability Research team at GitLab. The GitLab Advisory Database covers security advisories in software packages that have a CVE identifier, as well as malicious packages marked as such by their ecosystem (example). The database is an essential part of the Dependency Scanning feature, which is available in GitLab Ultimate self-managed and GitLab Ultimate SaaS.
As of recently, GitLab also provides a free and open-source version of the database, the GitLab Advisory Database (Open Source Edition), a time-delayed (+30 days) clone of the GitLab Advisory Database.
In the spirit of
Transparency, two of
the GitLab core values, we share
the database with the open-source community in a format that is
and can be easily parsed. The advisory data can be readily adopted, adapted, and
exchanged. For example, links to proof of concepts or write-ups, or any other
directly related information that will benefit the community, can be added to
urls: - "https://hackerone.com/reports/1104077" - "https://nvd.nist.gov/vuln/detail/CVE-2021-28965" - "https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/"
Additionally, in our advisories we use Common Weakness Enumeration in conjunction with Common Vulnerability Scoring System as a standard means of communicating vulnerabilities, as well as their impact/severity, internally and externally.
The GitLab Advisory Database is integrated into GitLab Dependency Scanning. Once an existing advisory is modified or a new advisory is created, the information included in the advisory will appear in the Vulnerability Pages where findings/vulnerabilities originating from all security scanners, including Dependency Scanning, can be managed at a central place.
The open-source database has recently been integrated into Trivy, a free and open-source solution for container scanning. We are very grateful for community contributions to the GitLab Advisory Database. Our community has aided us by suggesting improvements to our data or by creating entirely new advisories, allowing everyone to benefit from their contributions.
At GitLab, everyone can contribute. The Vulnerability Research team at GitLab has made it easy to contribute to both databases.
Community contributions can be made available in
instantaneously by means of the
which has been introduced recently. Using this synchronization, you can make
the same contribution appear in both databases at the time of a Merge Request
(within one hour after the merge).
We have also used this flag to make the advisories concerning the recent log4Shell vulnerabilities available to the community immediately after these were made public. Even though the open-source version of the database is time-delayed, particular vulnerabilities that have the potential to become widespread and cause disruptions to the entire Internet, are pushed into the open-source version of the GitLab security advisory database.
Cover image by Charles Deluvio on Unsplash
“Introducing a community-driven advisory database for third-party dependencies.” – Julian Thome, Isaac Dawson, Dinesh Bolkensteyn, and Mark Art
Click to tweet