Category Direction - Dependency Scanning

1. You are here:
2. Category Direction - Dependency Scanning

• Sec Section
  • Introduction and how you can help
    • Send Us Feedback
  • Overview
    • Target Audience
    • Challenges to address
  • Key features
  • Strategy
  • Where we are Headed
    • Roadmap
    • What's Next & Why
    • What is Not Planned Right Now
    • Maturity Plan
  • User success metrics
  • Why is this important?
  • Competitive Landscape
  • Analyst Landscape
  • Top Issue(s)
    • Customer Success/Sales
    • Top user issue(s)
    • Top internal customer issue(s)
    • Top Strategy Item(s)

Sec Section

Introduction and how you can help

Thanks for visiting this category direction page on Dependency Scanning at GitLab. This page belongs to the Composition Analysis group of the Secure stage and is maintained by Nicole Schwartz.

Send Us Feedback

We welcome feedback, bug reports, feature requests, and community contributions.

Not sure how to get started?

• Upvote or comment on proposed Category:Dependency Scanning issues - when you find one similar to what you want, please leave a comment AND upvote it! This helps it to be prioritized, backlog items with few unique individuals commenting are unlikely to get reviewed and prioritized.
• Can't find an issue? Make a feature proposal or a bug report. Please add the appropriate labels by adding this line to the bottom of your new issue /label ~"devops::secure" ~"Category:Dependency Scanning" ~"group::composition analysis" ~feature.
• Consider signing up for First Look.

Sharing your feedback directly on GitLab.com is the best way to contribute to our direction.

We believe everyone can contribute and so if you wish to contribute here is how to get started.

Overview

Dependency Scanning is a technique that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities in those components that may affect the main application.

Applications define which package they require, and the version that is used. Dependency Scanning leverages our Vulnerability Database to check if any of these dependencies have known vulnerabilities, and it indicates if a package upgrade is needed.

Dependency Scanning is very dependent not only on the programming languages, but also on the package manager. You can read our user documentation to see what languages and package managers are currently supported. Different package managers have different repositories and ways to keep track of versions.

Our goal is to provide Dependency Scanning as part of the standard development process so that we are proactively identifying potential vulnerabilities and weaknesses as they are introduced, to the person who introduced them. Dependency Scanning results can be consumed in the merge request, where only new vulnerabilities, introduced by the new code, are shown. This means that Dependency Scanning is executed every time a new commit is pushed to a branch. This should allow for findings to be reviewed and resolved before having the opportunity to make it into production. Where possible we provide Automatic Remediation for a found vulnerability. For those who wish to require additional review when critical or high vulnerabilities are found, you can enable Security Approvals in Merge Requests. We include Dependency Scanning as part of Auto DevOps.

Target Audience

Primary: Sasha (Software Developer) wants to know when adding a dependency if it has known vulnerabilities so alternate versions or dependencies can be considered.

Secondary: Sam (Security Analyst) wants to know what dependencies have known vulnerabilities (to reduce the OWASP A9 risk - Using Components with Known Vulnerabilities), to be alerted if a new vulnerability is published for an existing component, and how behind current version the components are.

Other: Cameron (Compliance Manager), Delaney (Development Team Lead), Devon (DevOps Engineer), Sidney (Systems Administrator)

Challenges to address

We will be researching current user challenges in this issue and using them to validate or update our job(s) to be done as a part of completing our category maturity scorecard. Please feel free to comment!

Key features

Currently we notify developers when they add dependencies in these supported languages with known vulnerabilities in our vulnerability database, if security approvals are configured, we will require an approval for critical, high or unknown findings. A summary of all findings for a project can be found in the Security Dashboard where Security Teams can quickly check the security status of projects, and the Dependency List. For limited package managers, we are able to offer auto-remediation recommendations for the findings.

• 13 Supported Package Managers (11 languages)
• Shows finding information in the merge request
• Merge Request Approvals
• Dependency List
• Security Dashboard available at the Project, Group, and Instance levels
• Auto-remediation leverages Dependency Scanning to provide a solution for vulnerabilities that can be applied to fix the codebase.

Strategy

See Secure 3 Year Strategy

Where we are Headed

We know that we need to keep iterating and improving on our workflow. We plan to make our setup simpler and improve usability when viewing and interacting with findings. We also will increasing the supported package managers for auto-remediation.

Roadmap

-Dependency Scanning Epic Roadmap

What's Next & Why

• Move Dependency Scanning's maturity from Viable to Complete This involves many elements which are called out below
  • Dependency Scanning should be easy to enable Users with access to the Security Configuration page who do not yet have Dependency Scanning enabled can now enable it by clicking "Enable via MR". This will create and/or update your pipeline yml file to add the default Dependency Scanning template. This will make it easier for you to quickly add Dependency Scanning into your project adding an additional layer of security to your standard development workflow.
  • Automatic Remediation creates a Merge Request Automatic Remediation will automatically create a merge request when a suggested solution is found during a Dependency Scan or Container Scan. This makes it even easier for you to shift security left. When you enable the feature from the Security Configuration page, GitLab Security Bot will have an access to your project to create auto-fix Merge Requests.
  • Auto-Remediation - Show available solutions in Project Security Dashboard We will make some usability improvements to the Project Security Dashboard for Automatic Remediation users. The activity column will have a lightbulb icon to allow users to quickly see which findings have available solutions. When the Automatic Remediation bot was able to create a merge request there will be an MR icon next to vulnerabilities. Hovering the MR icon will open a popover containing links to the MRs, and you will be able to tell which were opened by users and which were opened by the security bot. Finally, there will be a new filter to allow you to quickly find all vulnerabilities with MRs or solutions.
  • Auto Remediation - Dependency Scanning - add additional package manager support for PHP and npm Users who utilize Dependency Scanning for PHP composer and npm projects will be able to take advantage of our Automatic Remediations, this offers one-click Merge Requests created as solutions to select findings. By making solutions easy to apply we hope to enable you to not only choose safer Dependencies for your projects but speed up your work.
  • Show paths to dependencies - MVC You will be able to see the dependency paths of the dependencies identified in your project on the Dependency List and in the security widget of your merge request. This will help you see vulnerable dependencies are part of your project (which dependency you added that it was a dependency of) and it will help you triage the finding and decide if there is a threat.
    • Show paths to dependencies - POST MVC will iterate and improve on the above MVC
  • Improve Security Merge Request Approvals We want to make Security based Merge Request approvals easier to enable, as well as easier to discover. Security approvals in merge requests was introduced in GitLab Ultimate 12.2 but after speaking with users we discovered that users found the setup and process to force critical and high findings to be approved before going to production has been difficult to find and configure. As this is a critical workflow for security conscious users we have worked to reduce that friction.

What is Not Planned Right Now

In order to focus on what's next, the following items are not on the immediate horizon:

• Configuration and Management at a group and instance level Although this is a top customer ask across secure there have been a number of blockers and intricacies we have been unable to work around. Please visit the epic to follow the progress as multiple groups are working hard to make this possible.
• Customize Merge Request Security Approval threshold for Dependency Scanning
• Help prioritize findings - Dependency Scanner
• Proactive warnings about out of date and end of life (EOL) versions- dependency scanning
• Notifications of prior committed dependency state (risk) change - dependency scanning
• Dependencies approval list (allow list, deny list)
• Rules to automatically dismiss findings

We would love your comments on any of those epics to help us prioritize the above epics as we complete the items in "What's Next & Why".

Maturity Plan

This category is currently at the Viable maturity level, and our next maturity target is 2021-07-22 (see our definitions of maturity levels

• Dependency Scanning - Viable to Complete

User success metrics

Currently we have limited product analytics data, as a result we will be tracking number of times that our scans run.

In the future we hope that users will allow us to enhance our product analytics to be able to record information such as the number of findings that are dismissed vs. accepted. See our current metrics here, and other items being discussed in this issue.

Why is this important?

In addition to being A9 Using Components with Known Vulnerabilities in the OWASP top 10, keeping dependencies up to date is code quality issue, and finally as the need for software bill of materials (SBoM) grows being able to list your dependencies will become a needed feature for all application developers.

Competitive Landscape

• Black Duck by Synopsys
• CA Veracode
• Contrast
• Datadog
• GitHub
• greenkeeper
• HCL AppScan
• JFrog Xray
• Micro Focus Fortify
• Snyk
• Sonatype Nexus
• Whitesource

Analyst Landscape

GitLab was named a Niche Player in the 2020 Gartner Magic Quadrant for AST.

The Dependency Scanning topic is often coupled with License Compliance in Software Composition Analysis (SCA) or considered as part of an Application Security Testing (AST) package. This is what analysts evaluate, and how it is bundled in other products. As defined in our Solutions, GitLab includes Container Scanning as part of Software Composition Analysis.

• Forrester

Analysts are showing interest in our automatic remediation as the key feature to make dependency scanning really actionable for users. We can invest to increase our coverage.

Top Issue(s)

I base this on popularity, so please remember to comment AND upvote issues you would like to see.

Customer Success/Sales

Issue Search customer success issues

If you don't see the customer success label on an issue yet, and you are a customer success team-member, feel free to add it!

Top user issue(s)

Issue Search customer issues

If you don't see the customer label on an issue yet, feel free to add it if you are the first customer!

Top internal customer issue(s)

Issue Search internal customer issues

If you don't see the internal customer label on an issue yet, and you are a team-member, feel free to add it!

Top Strategy Item(s)

Issue Search AST Leadership issues