This blog post is Unfiltered

Dependency Scanning relies on the GitLab Vulnerability Database (called gemnasium-db) to provide it with the latest advisory data (i.e. CVEs). Dependency Scanning docker images are built and released with the latest version of the database and in addition, the analyzers update this database to the latest version at the time of a scan.

However, starting with version 2.8.1 of the Dependency Scanning analyzer called gemnasium, the vulnerability database was not updating itself at scan time. Versions between v2.8.1 (released 2020-03-30) and v2.28.0 (released 2021-02-03) are affected by this bug. As a result, since the introduction of the bug, scan results would only be able to identify advisories published on or before the analyzer image release date. In some cases this meant that the advisories' Dependency Scanning analyzers were outdated by several weeks (relying only on the database checked out at image build time).

We are concerned that this bug made it out to customers and are performing a root cause analysis.

Most customers will receive the bug fix automatically and will have the latest advisory database the next time their Dependency Scanning jobs run. But customers with their own copy of the GitLab container registry or dedicated runners with a docker pull-policy other than always, must take the manual action to pull or update your pin to the latest image (or at least one that is not impacted by this bug). Users that must take this manual action are:

The three analyzer types that are affected are the gemnasium analyzer, the gemnasium-python and gemnasium-maven analyzer. The affected versions of each are:

TL;DR - If you are using Dependency Scanning analyzers and are not always pulling their docker images from GitLab's docker container registry, please update your analyzers' docker images promptly in order to sync the analyzers with the latest available advisories.

30天免费试用极狐GitLab旗舰版

极狐GitLab不仅是源代码管理或CI/CD工具,它是一个覆盖完整软件开发生命周期和DevOps的开放式一体化平台。

免费试用
Git 为 Software Freedom Conservancy 的注册商标,GitLab 为 GitLab B.V.的注册商标,我们已获授权使用“极狐GitLab”。
Copyright © 2022 极狐信息技术(湖北)有限公司, 鄂ICP备2021008419号-1

免费试用极狐GitLab 30天

有疑问? 联系我们

Gitlab x icon svg