The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Β | Β |
|---|---|
| Stage | Govern |
| Maturity | Viable |
| Features & Demos | Our Youtube playlist |
| Content Last Reviewed | 2023-06-28 |
| Content Last Updated | 2023-06-28 |
Thanks for visiting this category strategy page on Vulnerability Management in GitLab. This category belongs to the Threat Insights group of the Govern stage and is maintained by Alana Bellucci ([email protected]).
This direction page is a work in progress, and everyone can contribute:
Dependency Management aims to help developers and security professionals understand exactly what 3rd-party software organizations are using to create their own applications. In our research, we found that key capabilities for a dependency management tool include:
| Capability | Description |
|---|---|
| Insights | Visibility on dependencies, versioned component, vulnerability state, and adherence to compliance. The importance of insights is the ability to prioritize and triage dependencies from a project and organizational level. This allows organizations to assess risk and meet compliance to internal/external requirements. |
| Remediation | A combination of manual and automated methods can be used to update and resolve dependencies. By manual is informing the user of its version, vulnerable state, and upgradability. By automated are solutions involving a MR to update the package file with version and description of changes such as changelog, CVE, and merge confidence. |
| Policies | A policy can include remediation rules, authorized dependencies, CVE validation, vulnerable tolerance, compliance and more. This policy can then be flagged at the MR, continuously, or on-demand. |
| Alerting | A combination of notifications to chat platforms (Slack, Teams, etc) or email alerts. Notifications include a report of a new vulnerable dependency or weekly report of dependency insights. These can be scheduled or policy-driven. |
We are starting with the existing Dependency list and the portion of License compliance page where you can view the dependency a given license was found in.
The vision is to create complete, near-real time, organization-wide visibility into all 3rd-party dependenciesβand any risks present. We will leverage existing features of the GitLab platform to accelerate feature development. We will also bring consistency across security capabilities as we look to mirror functionality in our sibling category of Vulnerability Management.
Over the next year (major milestone 16.0-16.11), we aim to enable the abilitiy for leadership to have visibility to dependencies in any project, sub-group, group or instance level view. We also want to make sure teams can quickly triage their dependencies with filters, searching and grouping within the dependency list.
We are working on multiple iterations of the Group/Sub-Group Level Dependency List. Once the Group/Sub-Group Level Dependency List MVC (minimum viable change) is released we will work on iterations 1 - 3.
We are currently working on the MVC for the Group/Sub-Group Level Dependency List. With this change, you can see all dependencies within all projects and sub-groups.
Our current priority is to continue working with our Composition Analysis team in building Continuous Vulnerability Scanning. This will lay the groundwork for "scanless" dependency updates and vulnerability identification. The new database-backed models for dependencies and vulnerability advisory data are key enablers of planned Dependency Management features. One of the first such features is creating a Dependency List at the Group level. This will create broad, instance-wide views of all dependencies in your organization. We will also be able to build out features borrowed from Vulnerability Management like Filtering and Searching and Grouping. Eventually, we will Remove the License Compliance Page as the information is very similiar, just in a different presentation. This will create a single source of truth for both dependency and license information.
| Feature | GitLab | Black Duck | Sonatype | Snyk | GitHub | Mend |
|---|---|---|---|---|---|---|
| Insights | π¨ | π© | π© | π© | π© | π© |
| Remediation | π¨ | π© | π© | π© | π© | π© |
| Policies | π¨ | π© | π© | β¬οΈ | π¨ | π© |
| Alerting | β¬οΈ | π© | β¬οΈ | π© | π© | π© |
