►
From YouTube: 2021 06 23 GitLab Inventory Builder update
Description
Philippe Lafoucrière's weekly update on the GitLab Inventory Build.
Links:
- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/
A
Hello,
I'm
philipp
lafourcher
from
the
security
department,
and
this
is
my
weekly
update
on
the
github
inventory
builder.
It
is
june
23rd
and
to
give
you
a
reminder
of
what
the
gitlab
inventory
builder
is
about
it's
a
project
that
we
develop
as
part
of
the
the
appsec
sub
department
and
the
idea
is
to
generate
a
complete
inventory
of
all
the
projects
that
are
involved
at
some
point
in
the
sdrc,
so
the
software
development
lifecycle
of
gitlab
itself.
A
So
we
want
to
be
able
to
track
all
the
changes
that
would
occur
on
the
projects
involved
in
the
development,
the
build
the
shipment
deployments
of
gitlab
itself
and
especially
the
dependencies
that
vulnerabilities
around
these
projects,
also
the
ci
configurations
and
the
projects
configuration
stem
cells.
A
So
this
week
is
a
short
week.
We
have
a
weekly
day
where
I
live,
going
to
share
real
quick,
where
I
am
today.
A
There
we
go:
let's
make
that
a
bit
bigger,
maybe
all
right,
so
we
just
added
a
new
flag.
It's
not
actually
a
new
command,
it's
a
new
flag
to
be
able
to
sync
just
the
set
three
of
the
the
world
tree.
So
as
a
reminder,
everything
is
stored
in
this
data
folder
and
we
follow
the
same
naming
of
the
engine
as
what
we
have
on
gitlab.com
here.
It
could
absolutely
work
with
with
your
self-hosted
instance
as
well.
A
So
in
this
case
I
just
want
to
synchronize
this
gitlab
terminal
project,
and
if
I
do
that,
it's
going
to
download
the
dependencies
of
this
project,
the
norbit
is
because
it's
a
project
that
is
involved.
A
That's
what
we
call
the
pro
the
project
project.
It's
involved
at
some
point
in
again
the
sdrc
of
gitlab,
and
so
that's
why
we
want
to
keep
an
eye
on
the
dependencies
and
different
libraries,
and
once
I
do
that,
it's
going
to
store
dependencies
and
vulnerabilities
in
the
data
tree
directly
and
I
created
a
new
script
to
update
and
to
create
and
update
a
local
database.
It's
an
sqlite
database
that
we
will
use
for
a
lot
of
different
queries
and
also
to
generate
reports.
A
So
it's
going
to
work
the
tree
and
look
for
dependencies
vulnerabilities
and
all
that
kind
of
things
and
store
that
in
local
sqlites
db
that
we
have
here
and
so
from
there.
We
can
start
running
some
basic
queries
like
fetching
all
the
dependencies
for
the
github
terminal
project.
Here
we
are
limiting
that
to
10.
So
that's
why
you
don't
have
everything,
but
you
get
the
id
you
can
see
here.
Some
some
go
dependencies.
A
Similarly,
we
can
also
query
vulnerabilities
here
we're
just
covering
some
low
vulnerabilities
because
it's
a
prediction
data,
so
I
just
don't
want
to
show
too
much
it's
a
perfect
video
and
that's
interesting
because
we
can
start
also
joining
tabbers
together.
So
we
will
be
able
to
there's
reports
with
pretty
much
what
we
want.
A
I'm
using
sq
lite
utils
to
generate
these
reports.
We
can
also
use
this
tool
to
run
the
same
queries
and
directly
generate
some
json
outputs
so
that
we
can
digest
that
into
oppa.
If
we
want
to
run
some
some
policies
check,
that's
where
I
am
next
week,
I'm
going
to
start
generating
the
the
html
reports
from
the
data
that
we
have
in
this
db
and
publish
that
as
part
of
the
the
pipeline.
So
that's
all
I
have
for
you
today,
thanks
for
watching
and
see
you
next
week.