GitLab provides a Dependency Scanning
feature that can automatically detect vulnerabilities in your software
dependencies. Dependency Scanning covers various programming languages and
relies on the GitLab Advisory Database, that
is
updated
on a periodic basis by the
Vulnerability Research
team at GitLab. The GitLab Advisory Database covers security advisories in software packages that have a CVE identifier, as well as malicious packages marked as such by their ecosystem (example). The database is an essential part of
the Dependency Scanning feature, which is
available in GitLab Ultimate self-managed
and GitLab Ultimate SaaS.
As of recently, GitLab also provides a free and open-source version of the
database, the GitLab Advisory Database (Open Source Edition), a time-delayed
(+30 days) clone of the GitLab Advisory Database.
In the spirit of
Collaboration and
Transparency, two of
the GitLab core values, we share
the database with the open-source community in a format that is
well-documented
and can be easily parsed. The advisory data can be readily adopted, adapted, and
exchanged. For example, links to proof of concepts or write-ups, or any other
directly related information that will benefit the community, can be added to
the urls array:
urls:
- "https://hackerone.com/reports/1104077"
- "https://nvd.nist.gov/vuln/detail/CVE-2021-28965"
- "https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/"
Additionally, in our advisories we use Common Weakness Enumeration
in conjunction with Common Vulnerability Scoring System as a standard means
of communicating vulnerabilities, as well as their impact/severity, internally and externally.
The GitLab Advisory Database is integrated
into GitLab Dependency Scanning. Once
an existing advisory is modified or a new advisory is created, the information included in the advisory will appear
in the Vulnerability Pages
where findings/vulnerabilities originating from all security scanners,
including Dependency Scanning, can be managed at a central place.
The open-source database has recently been integrated into
Trivy, a free and open-source solution
for container scanning.
We are very grateful for community contributions
to the GitLab Advisory Database.
Our community has aided us by suggesting improvements to our data or by
creating entirely new advisories, allowing everyone to benefit from their
contributions.
At GitLab, everyone can contribute.
The Vulnerability Research
team at GitLab has made it easy to contribute to both databases.
Community contributions can be made available in
advisories-community
instantaneously by means of the community-sync flag,
which has been introduced recently. Using this synchronization, you can make
the same contribution appear in both databases at the time of a Merge Request
(within one hour after the merge).
We have also used this flag to make the advisories concerning the recent
log4Shell
vulnerabilities available to the community immediately after these were made public.
Even though the open-source version of the database is time-delayed, particular
vulnerabilities that have the potential to become widespread and cause
disruptions to the entire Internet, are pushed into the open-source version
of the GitLab security advisory database.
Cover image by Charles Deluvio on Unsplash
