GitLab Security Department, 23 Jun 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: 2021 06 23 GitLab Inventory Builder update

Description

Philippe Lafoucrière's weekly update on the GitLab Inventory Build.

Links:

- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/

A

Hello, I'm philipp lafourcher from the security department, and this is my weekly update on the github inventory builder. It is june 23rd and to give you a reminder of what the gitlab inventory builder is about it's a project that we develop uh as part of the the appsec sub department uh and the idea is to generate a complete inventory of all the projects that are involved at some point in the sdrc, so the software development lifecycle of gitlab itself.

A

So we want to be able to track all the changes that would occur on the projects involved in the development, the build the shipment deployments of gitlab itself and especially the dependencies that vulnerabilities around these projects, uh also the ci configurations and the projects configuration stem cells.

A

So this week is a short week. We have a weekly day where I live, um going to share real quick, where I am today.

A

There we go: let's make that a bit bigger, maybe all right, so we just added a new flag. It's not actually a new command, it's a new flag to be able to sync uh just the set three of the the world tree. So as a reminder, everything is stored in this data folder and we follow uh the same naming of the engine as what we have on gitlab.com here. It could absolutely work with uh with your self-hosted instance as well.

A

So in this case I just want to synchronize this uh gitlab terminal project, and if I do that, it's going to download the dependencies of this project, the norbit is because it's a project that is involved.

A

That's what we call the pro the project project. It's involved at some point in again the sdrc of gitlab, and so that's why we want to keep an eye on the dependencies and different libraries, and once I do that, it's going to store dependencies and vulnerabilities in the data tree directly and I created a new script to update and to create and update a local database. It's an sqlite database that we will use for a lot of different queries and also to generate reports.

A

um So it's going to work the tree and look for dependencies vulnerabilities and all that kind of things and store that in local sqlites db that we have here and so from there. We can start running some basic queries like uh fetching all the dependencies for the github terminal project. Here we are limiting that to 10. So that's why you don't have everything, but you get the id you can see here. Some some go dependencies.

A

We would have brilliant race dependencies if, if we were using a rebound race in this project through a gen 5 dot lock.

A

Similarly, we can also query uh vulnerabilities here we're just uh covering some low vulnerabilities because it's a prediction data, so I just don't want to show too much it's a perfect video um and that's interesting because we can start also uh joining tabbers uh together. So we will be able to there's reports with pretty much what we want.

A

I'm using sq lite utils to generate these reports. We can also use this tool to run the same queries and directly generate some json outputs so that we can digest that into oppa. If we want to run some some policies check, um that's where I am next week, I'm going to start generating the the html reports from the data that we have in this db and publish that as part of the the pipeline. So that's all I have for you today, thanks for watching and see you next week.