Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 19 Apr 2023
GitLab / Secure Stage / 19 Apr 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Secure::Composition Analysis - Continuous Vulnerability Scanning for Dependency Scanning Demo

Description

This demo covers the changes that the Secure::Composition Analysis team is conducting as part of the continuous vulnerability scanning feature. If you'd like to learn more or track the progress of the work on Continuous Vulnerability Scanning for Dependency Scanning, see the epic below.

- Epic: https://gitlab.com/groups/gitlab-org/-/epics/9534

A

Hello: everyone, my name is Oscar Tovar and I'm, a back-end engineer on the composition, analysis team today, I will be demoing a preview of the work we are doing around continuous vulnerability scans in the context of dependency scanning The, Continuous, vulnerability scanning epic, that we're working on iterates. On the current dependency scanning approach.

A

It will allow customers to receive the latest matching advisories for a project without having to rerun a dependency scanning job The Advisory matching will be based on the components within Cyclone DX, as Bond reports to demonstrate this I have created a sample project here that uses a cyclone DX generated from a node.js npm project, as you can see, inside of the pipeline, I have declared a dependency scanning job that the script will only Echo out that it's running the upload of the Cyclone DX reports and Echo out the completion to signal that it's completed.

A

The reports will include anything that has this pattern here and if we go back to the files, you'll see that the repository has checked in only one Cyclone DX report.

A

If we open up the report, we'll see that this is a cyclone DX report version 1.4, it has the required fields and it has some extra properties that are used by the gitlab taxonomy, such as the file path that was scanned and the package manager that was used in this case. Npm further down you'll see that there are components so you'll have the ABAB component version 2.0.3.

A

And you'll see what type it is as well, which is a library, and if you keep this in mind, this is important, because we'll see this will be used inside of the merge request whenever we're doing the advisory matching.

A

So if we go to the merger Quest that I have opened here, we'll see that the dependency scanning job has run.

A

So, just as we had directed it to it has echoed the Cyclone DX completion has been upload, has been completed and we'll see that in the artifacts the report has been uploaded.

A

If we go back to the pipeline, View we'll see that the security tab has been populated, so this is for demonstration purposes, and this is these are not real advisories. But this is to give you an idea of how the concept of the concept of the continuous scanning will work. You will no longer need to actually detect the vulnerabilities in the scanning itself.

A

The vulnerabilities will be pulled in from matching advisories in the database that we will be, including within gitlab instances in the future.

A

This is very similar to the concept of license scanning, which we have recently enhanced as well, so that it uses the matching licenses for the s-bomb components.

A

If you took a look at the jobs, we had not declared any license scanning either and in this similar manner they are also included. The new licenses that were detected are also included, so I hope this has given you a good uh preview of what we will be working on and the enhancements that will be iterate, uh we'll be including in the future iterations. Thank you.