GitLab Continuous Vulnerability Scans, 7 Sep 2023

Previous Meeting

Next Meeting

⏯

youtube image

►

From YouTube: Continuous Vulnerability Scanning | Scanning a project's dependencies on advisory changes

Description

In this video, Oscar Tovar Senior Backend Engineer on the Composition Analysis team demos an upcoming feature of Continuous Vulnerability Scanning. With Continuous Vulnerability Scanning, detecting new vulnerabilities in existing components will no longer require re-running a dependency scanning job. Instead, existing software components will be automatically be analyzed to see if they are affected by a new advisory.

----

Epic: https://gitlab.com/groups/gitlab-org/-/epics/10025

A

Hello: everyone, my name, is Oscar Tovar and I'm, a back-end engineer on the composition, analysis team here at gitlab today, I'm going to be demonstrating some work that we've been doing on continuous vulnerability scanning for some context. Continuous on a reality scanning is the feature that we're working on where upon ingesting a new advisory or in, for example, an advisory is released for a cve.

A

We will begin to scan projects for that specific advisory.

A

I will be linking the Epic that covers this in the description, but for now I will go ahead and cover the demonstration. So the way this this will work is we're going to have uh I want to demonstrate this by showing that we have a project here. That has a that is an Express web app and the specific particular Express web app uses a vulnerable version of Express.

A

If you can see here on the right hand, side of my terminal, any version of Express before 4.17.3 uh is vulnerable to the cve.

A

So if we look in here, I have specified that I use express 4.17.2 and if we look at the package lock Json, we can also go ahead and look at that. There.

A

And we can verify that it's indeed using version 4.17.2, so this particular project does have a vulnerable component that we have registered and we are internally tracking. So as soon as I execute this, it should pick up the advisory and create a vulnerability for it. So I'll go ahead and do that and sure enough I'm going to go ahead and did that and it created a new advisory. So let's go ahead and check the advisories for it.

A

So let's go ahead and check the vulnerabilities for this project, so if we go ahead and verify now, if we go to the vulnerability report here of the same express.js web app previously, there is nothing here and if we visit the report, you'll see now that there is indeed a newly detected vulnerability here.

A

um We can open it up some more and we can see that this was found inside of the package, save uh package log Json file, and if you pardon me, it's still compiling the assets for displaying this webpage.

A

And we can see here that it has the same description from before and we can see exactly which project it was found in the tool that it was found by. In this case it was dependency scanning, because it's a vulnerable dependency of the project and the scanner use, which in this case is the gitlab, has spawn vulnerability scanner, which correlates the s-bomb components with known vulnerable s-pumps components that are sourced from advisories.

A

This still has the same same features such as the links to the CV itself. So if you want to go ahead and take a look at that, we can also go ahead and look at it here and get more in-depth detail from various sources such as nvd, and we can also see specifically which vulnerable package which used was used. Excuse me, such as in this case Express, 4.17.2 and yeah, so this has been a preview of what we're working on and we'll be uh shipping uh soon. Thank you.