►
From YouTube: Continuous Vulnerability Scanning | Scanning a project's dependencies on advisory changes
Description
In this video, Oscar Tovar Senior Backend Engineer on the Composition Analysis team demos an upcoming feature of Continuous Vulnerability Scanning. With Continuous Vulnerability Scanning, detecting new vulnerabilities in existing components will no longer require re-running a dependency scanning job. Instead, existing software components will be automatically be analyzed to see if they are affected by a new advisory.
----
Epic: https://gitlab.com/groups/gitlab-org/-/epics/10025
A
Hello:
everyone,
my
name,
is
Oscar
Tovar
and
I'm,
a
back-end
engineer
on
the
composition,
analysis
team
here
at
gitlab
today,
I'm
going
to
be
demonstrating
some
work
that
we've
been
doing
on
continuous
vulnerability
scanning
for
some
context.
Continuous
on
a
reality
scanning
is
the
feature
that
we're
working
on
where
upon
ingesting
a
new
advisory
or
in,
for
example,
an
advisory
is
released
for
a
cve.
A
I
will
be
linking
the
Epic
that
covers
this
in
the
description,
but
for
now
I
will
go
ahead
and
cover
the
demonstration.
So
the
way
this
this
will
work
is
we're
going
to
have
I
want
to
demonstrate
this
by
showing
that
we
have
a
project
here.
That
has
a
that
is
an
Express
web
app
and
the
specific
particular
Express
web
app
uses
a
vulnerable
version
of
Express.
A
If
you
can
see
here
on
the
right
hand,
side
of
my
terminal,
any
version
of
Express
before
4.17.3
is
vulnerable
to
the
cve.
A
A
And
we
can
verify
that
it's
indeed
using
version
4.17.2,
so
this
particular
project
does
have
a
vulnerable
component
that
we
have
registered
and
we
are
internally
tracking.
So
as
soon
as
I
execute
this,
it
should
pick
up
the
advisory
and
create
a
vulnerability
for
it.
So
I'll
go
ahead
and
do
that
and
sure
enough
I'm
going
to
go
ahead
and
did
that
and
it
created
a
new
advisory.
So
let's
go
ahead
and
check
the
advisories
for
it.
A
A
And
we
can
see
here
that
it
has
the
same
description
from
before
and
we
can
see
exactly
which
project
it
was
found
in
the
tool
that
it
was
found
by.
In
this
case
it
was
dependency
scanning,
because
it's
a
vulnerable
dependency
of
the
project
and
the
scanner
use,
which
in
this
case
is
the
gitlab,
has
spawn
vulnerability
scanner,
which
correlates
the
s-bomb
components
with
known
vulnerable
s-pumps
components
that
are
sourced
from
advisories.
A
This
still
has
the
same
same
features
such
as
the
links
to
the
CV
itself.
So
if
you
want
to
go
ahead
and
take
a
look
at
that,
we
can
also
go
ahead
and
look
at
it
here
and
get
more
in-depth
detail
from
various
sources
such
as
nvd,
and
we
can
also
see
specifically
which
vulnerable
package
which
used
was
used.
Excuse
me,
such
as
in
this
case
Express,
4.17.2
and
yeah,
so
this
has
been
a
preview
of
what
we're
working
on
and
we'll
be
shipping
soon.
Thank
you.