|Content Last Reviewed||
|Content Last Updated||
We welcome feedback, bug reports, feature requests, and community contributions.
Not sure how to get started?
/label ~"devops::secure" ~"Category:Dependency Scanning" ~"group::composition analysis".
Sharing your feedback directly on GitLab.com is the best way to contribute to our direction.
Dependency Scanning is a technique that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities in those components that may affect the main application.
Applications define which package they require, and the version that is used. Dependency Scanning leverages our Vulnerability Database to check if any of these dependencies have known vulnerabilities, and it indicates if a package upgrade is needed.
Dependency Scanning is very dependent not only on the programming languages, but also on the package manager. Different package managers have different repositories and ways to keep track of versions.
Our goal is to provide Dependency Scanning as part of the standard development process so that we are proactively identifying potential vulnerabilities and weaknesses as they are introduced, to the person who introduced them. Dependency Scanning results can be consumed in the merge request, where only new vulnerabilities, introduced by the new code, are shown. This means that Dependency Scanning is executed every time a new commit is pushed to a branch. This should allow for findings to be reviewed and resolved before having the opportunity to make it into production. For those who wish to require additional review when critical or high vulnerabilities are found, you can enable Merge Request Approvals. We include Dependency Scanning as part of Auto DevOps.
Primary: Sasha (Software Developer) wants to know when adding a depedency if it has known vulnerabilities so alternate versions or dependencies can be considered.
Secondary: Sam (Security Analyst) wants to know what dependencies have known vulnerabilities (to reduce the OWASP A9 risk - Using Components with Known Vulnerabilities), to be alerted if a new vulnerability is published for an existing component, and how behind current version the components are.
Other: Cameron (Compliance Manager), Delaney (Development Team Lead), Devon (DevOps Engineer), Sidney (Systems Administrator)
We will be researching current user challenges in this issue. Please feel free to comment!
Currently we notify developers when they add dependencies in these supported languages with known vulnerabilities in our vulnerability database, if security approvals are configured, we will require an approval for critical, high or unknown findings. A summary of all findings for a project can be found in the Security Dashboard where Security Teams can quickly check the security status of projects, and the Dependency List. For limited package managers, we are able to offer auto-remediation recommendations for the findings.
We know that we need to keep iterating and improving on our workflow. We plan to make our setup simpler, improve usability when viewing and interacting with findings, allow customization of the approval (severity level) thresholds, and expand the languages and package managers supported for dependency discovery. Part of the language expansion will include increasing the supported package managers for auto-remediation.
Following these iterations, we need to help you assess the risk you face from a finding, GitLab should be able to indicate, where applicable, if you are using the impacted function, that has the risk. We plan to introduce tooling to help you prioritize the findings.
Dependency Scanning information can also help you create a software bill of materials (SBoM or BOM), where all the components are listed with their versions. We hope to collect feedback and improve on enabling users to leverage our Dependency List for building their SBoM.
We also understand Security is about more than just reacting to findings, where possible we would like to warn you as components you leverage become out of date, or near end of life, to help you practively plan.
In order to focus on what's next, the following items are not on the immidiate horizon:
We would love your comments on any of those epics to help us prioritize the above epics as we complete the items in "What's Next & Why".
This category is currently at the Viable maturity level, and our next maturity target is 2021-07-22 (see our definitions of maturity levels
Currently we have very limited product analytics data, as a result we will be tracking number of times that our scans run.
In the future we hope that users will allow us to enhance our product analytics to be able to record information such as the number of findings that are dismissed vs. accepted. See our current metrics here, and other items being discussed in this issue.
In addition to being A9 Using Components with Known Vulnerabilities in the OWASP top 10, keeping dependencies up to date is code quality issue, and finally as the need for software bill of materials (SBoM) grows being able to list your dependencies will become a needed feature for all application developers.
The Dependency Scanning topic is often coupled with License Compliance in Software Composition Analysis (SCA) or considered as part of an Application Security Testing (AST) package. This is what analysts evaluate, and how it is bundled in other products. As defined in our Solutions, GitLab includes Container Scanning as part of Software Composition Analysis.
Analysts are showing interest for auto-remediation as the key feature to make dependency scanning really actionable for users. We can invest to increase our coverage.
I base this on
popularity, so please remember to comment AND upvote issues you would like to see.
If you don't see the
customer success label on an issue yet, and you are a customer success team-member, feel free to add it!
If you don't see the
customer label on an issue yet, feel free to add it if you are the first customer!
If you don't see the
internal customer label on an issue yet, and you are a team-member, feel free to add it!