Category Direction - Software Composition Analysis

1. You are here:
2. GitLab Direction
3. Product Stage Direction - Secure
4. Group Direction - Composition Analysis
5. Category Direction - Software Composition Analysis

• Software Composition Analysis
  • Introduction and how you can help
  • Overview
  • Strategy and Themes
  • 1 year plan
    • What we recently completed
    • What we are currently working on
    • What is next for us
    • What is Not Planned Right Now
  • Best in Class Landscape
    • Key Capabilities
    • Roadmap
    • Top Competitive Solutions
  • Target Audience
  • Pricing and Packaging
  • Analyst Landscape

Software Composition Analysis

Stage	Secure
Maturity	Viable
Content Last Reviewed	2023-09-18
Content Last Updated	2023-09-18

Introduction and how you can help

Thanks for visiting this category direction page on Software Composition Analysis (Dependency Scanning and License Compliance) in GitLab. This page belongs to the Composition Analysis group of the Secure stage. The Product Manager is Sara Meadzinger.

This direction page is a work in progress, and everyone can contribute:

• Please comment and contribute in the linked issues or epics on this page. Sharing your feedback directly on GitLab.com is the best way to contribute to our strategy and vision.
• Please share feedback directly via email or on a video call. If you're a GitLab user and have direct knowledge of your need for dependency scanning, we'd especially love to hear from you.

Overview

Dependency scanning analyzes the dependencies used in a project. It identifies dependencies that have been directly included and it also analyzes those dependencies to get a list of their dependencies (also known as indirect or transitive dependencies). Once a full listing of all direct and transitive dependencies has been obtained, dependency scanning solutions analyze those dependencies to identify known vulnerabilities in those dependencies.

Dependency Scanning leverages the GitLab Advisory Database to check if any of these dependencies have known vulnerabilities, and it indicates if a package upgrade is needed.

Dependency Scanning and License Compliance are often considered two elements of Software Composition Analysis and Application Security Testing.

License compliance analyzes the dependencies used in a project. It identifies dependencies that have been directly included and it also analyzes those dependencies to get a list of their dependencies (also known as indirect or transitive dependencies). Once a full listing of all direct and transitive dependencies has been obtained, license compliance solutions analyze those dependencies to identify how those dependencies are licensed. Typically this information is stored in the metadata for the package; however, it may also be present in a file in the dependency's code repository. This type of analysis allows users to get a full list of all the licenses they are using in the project so they can ensure they are willing to adhere to the associated terms and conditions.

GitLab was named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.

Additional details about our current features and capabilities can be viewed in our documentation.

• License scanning
• License approval policies
• License list

Strategy and Themes

We have five main themes in our software composition analysis strategy:

1. Shifting dependency scanning and license compliance left - Our goal is to provide Dependency Scanning and License Compliance as part of the standard development process. This means that Dependency Scanning and License Compliance are executed every time a new commit is pushed to a branch, identifying newly introduced vulnerabilities in the merge request. We also include Dependency Scanning and License Compliance as part of Auto DevOps.
2. Accurate component detection - Our goal is to be able to identify the correct dependencies and versions accurately for the languages that we support. For this reason, we attempt to build Java and Python projects before identifying dependencies so that we are not forced to guess which version in a version range is actually used in the final application.
3. Accurate license detection - Our goal is to support multiple license detection methods and to allow those methods to work together to identify licenses accurately. Eventually we would like to add support for full SPDX expressions so we can accurately handle packages with complex license scenarios.
4. Continuous scanning - Scanning for known vulnerabilities needs to be a continuous effort because the list of known vulnerabilities is constantly growing. To stay secure, users need a solution that will be updated constantly with the latest threat data.
5. Comprehensive license detection - Our goal is to continue to add data to our license database so we can cover both a high percentage of the total open source packages available for the languages that we support. Ideally we will achieve full coverage for the most popular packages for each language that we support.

1 year plan

What we recently completed

In GitLab 16.2 we added Dependency and License scanning support for NuGet v2.

What we are currently working on

During 16.4 we are working to address a number of high value improvements, most of which are focused on making our Operational Container Scanning solution more up-to-date and functional to meet the needs of our users.

Also, during 16.4 we are working toward introducing continuous vulnerability scans. This new method of scanning will have significantly better performance and will allow users to have their vulnerability results updated continuously as new advisories are added to our advisory database. This work is a prerequisite for a large number of other features on our roadmap. Once this work is completed, users will no longer need to run regular scheduled scans to have their vulnerability results updated for container images that have been scanned as part of the CI pipeline for their default branch.

What is next for us

Over the next few months, we plan on finishing the work for continuous vulnerability scans so we can release the feature to users.

Over the next few months, we plan to continue to improve and mature our new method of license scanning to make it a more reliable source of license information.

What is Not Planned Right Now

We currently do not have plans to add the following functionality during the next 12 months:

1. Support for runtime analysis of code execution to help filter out vulnerabilities that exist in code that is never executed. As a workaround, users can explore our partnership with Rezilion which allows for this type of analysis to be performed and the results sent into GitLab.
2. Expanded language support for the functionality that currently exists to automatically generate merge requests to update dependencies. As a workaround, users can use the open source Renovate project, which has an integration with GitLab.
3. Full support for advanced SPDX expressions
4. Automatic categorization of licenses by type

Best in Class Landscape

BIC (Best In Class) is an indicator of forecasted near-term market performance based on a combination of factors, including analyst views, market news, and feedback from the sales and product teams. It is critical that we understand where GitLab appears in the BIC landscape.

Key Capabilities

For this product area, these are the capabilities a best-in-class solution should provide:

1. The ability to accurately and comprehensively detect known vulnerabilities for both direct and transitive dependencies in a project.
2. Support for detecting vulnerabilities across a wide variety of programming languages.
3. A robust advisory database that is curated to reduce false positives and contains data from a variety of sources.
4. Support for shifting vulnerability results left into the IDE.
5. Support for identifying fix versions when available.
6. Support for viewing the hierarchical chain of dependencies (typically in a dependency graph or dependency tree) to allow developers to see which upstream dependency will needs to be updated to fix a downstream vulnerability.
7. Support for automation to help keep dependencies up-to-date.
8. Support for runtime analysis of code execution to help filter out vulnerabilities that exist in code that is never executed.
9. Extensive analysis of other risk factors (quality, supply chain security, maintenance, etc) beyond just security vulnerabilities.
10. The ability to accurately and comprehensively detect licenses for both direct and transitive dependencies in a project.
11. Support for detecting licenses across a wide variety of programming languages.
12. Support for multiple methods of detecting licenses (metadata, files, embedded licenses).
13. The ability to detect licenses for closed-source dependencies.
14. The ability to support both basic and complex SPDX expressions.
15. The ability to easily show legal and compliance teams the terms and conditions of licenses that are being included.
16. The ability to enforce policies prohibiting specific licenses from being used in an organization.
17. Reporting and filtering to allow users to easily see which licenses are already in use.
18. Automatic license classification to organize licenses into categories based on their terms and conditions.

This list represents some key capabilities of a comprehensive software composition analysis solution. Not all of these capabilities are currently supported by GitLab today.

Roadmap

Our prioritized roadmap can be viewed on our group direction page. Plans to move the category from Viable to Complete are tracked in GitLab.

Top Competitive Solutions

• Black Duck by Synopsys
• CA Veracode
• Contrast
• Datadog
• GitHub
• greenkeeper
• HCL AppScan
• JFrog Xray
• Micro Focus Fortify
• Snyk
• Sonatype Nexus
• Whitesource

Target Audience

Primary: Sasha (Software Developer) wants to know when adding a dependency if it has known vulnerabilities so alternate versions or dependencies can be considered.

Secondary: Amy (Application Security Engineer) and Isaac (Infrastructure Security Engineer) want to know what dependencies have known vulnerabilities, to be alerted if a new vulnerability is published for an existing component, and to know how behind current version the components are.

Other:

1. Cameron (Compliance Manager)
2. Devon (DevOps Engineer)
3. Sidney (Systems Administrator)
4. Delaney (Development Team Lead)

Pricing and Packaging

The GitLab Dependency Scanning features are all packaged as part of the GitLab Ultimate tier. This aligns with our pricing strategy as these features are relevant for executives who are concerned about keeping their organization secured from known vulnerabilities.

Analyst Landscape

Dependency Scanning and License Compliance are frequently bundled together with Container Scanning to provide an overall Software Composition Analysis (SCA) solution within the Application Security Testing (AST) market. GitLab was recently named as a Challenger in the 2022 Magic Quadrant for Application Security Testing.