Dependency Scanning is a technique that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities that may affect the main application.
Applications define which package they require, and which is the version that is used. Dependency Scanning leverage a database of known vulnerabilities to check if any of these dependencies are not secure, and it notifies that a package upgrade is needed.
Dependency Scanning is very dependent not only on the programming languages, but also on the package manager. Different package managers have different repositories and ways to keep track of versions.
Our goal is to provide Dependency Scanning as part of the standard development process. This means that Dependency Scanning is executed every time a new commit is pushed to a branch. We also include Dependency Scanning as part of Auto DevOps.
We also want to make Dependency Scanning complexity totally transparent to users. GitLab is able to automatically detect the package manager and to extract the information. We want to increase language coverage by including support for the most common languages.
GitLab should also be able to check if a vulnerable function is really used by the application, and provide such information to prioritize better.
Dependency Scanning results can be consumed in the merge request, where only new vulnerabilities, introduced by the new code, are shown. A full report is available in the pipeline details page.
Dependency Scanning results are also part of the Security Dashboard, where Security Teams can check the security status.
Auto Remediate leverages Dependency Scanning to provide a solution for vulnerabilities that can be applied to fix the codebase. It will be automatically done by GitLab in the future.
Dependency Scanning can also be included in a bill of materials (BOM), where all the components are listed with their security status. See https://gitlab.com/gitlab-org/gitlab-ee/issues/7476 for additional details.
We want people to always have the most recent job definition for Dependency Scanning. This is very important to get benefits from all the new updates we are shipping. Auto DevOps is a solution for that, but users may need to have explicit jobs for their projects. That's why it is important to provide a simple way to keep definitions up to date.
The next MVC is to support multi-module Maven projects out of the box
The Dependency Scanning topic is often coupled with License Management and names Software Composition Analysis (SCA). This is what analysts evaluate, and how it is bundled in other products.
We should make sure that we can address the entire category even if we consider these two features as independent, and to leverage the single application nature of GitLab to provide a consistent experience in both of them.
Analysts are showing interest for Auto Remediation as the key feature to make dependency scanning really actionable for users. We can invest to increase our coverage.