GitLab Advisory Database

The GitLab Advisory Database serves as a repository for security advisories related to software dependencies.

The database is an essential component of both Dependency Scanning and Container Scanning.

A free and open-source version of the GitLab Advisory Database is also available as GitLab Advisory Database (Open Source Edition). However, there is a 30-day delay in updates.

Standardization

In our advisories, we adopt standardized practices to effectively communicate vulnerabilities and their impact.

Explore the database

To view the database content, go to the GitLab Advisory Database home page. On the home page you can:

  • Search the database, by identifier, package name, and description.
  • View advisories that were added recently.
  • View statistical information, including coverage and update frequency.

Each advisory has a page with the following details:

  • Identifiers: Public identifiers. For example, CVE ID, GHSA ID, or the GitLab internal ID (GMS-<year>-<nr>).
  • Package Slug: Package type and package name separated by a slash.
  • Vulnerability: A short description of the security flaw.
  • Description: A detailed description of the security flaw and potential risks.
  • Affected Versions: The affected versions.
  • Solution: How to remediate the vulnerability.
  • Last Modified: The date when the advisory was last modified.

Statistics

The home page also offers a statistic section that provides valuable insights into advisory distribution, the origins of vulnerabilities, dependency scanning coverage, and timelines for vulnerability resolution.

Open Source Edition

GitLab provides a free and open-source version of the database, the GitLab Advisory Database (Open Source Edition).

The open-source version is a time-delayed clone of the GitLab Advisory Database, MIT-licensed and contains all advisories from the GitLab Advisory Database that are older than 30 days or with the community-sync flag.

Integrations

note
GitLab Advisory Database Terms prohibit the use of data contained in the GitLab Advisory Database by third-party tools. Third-party integrators can use the MIT-licensed, time-delayed repository clone instead.

How the database can be used

As an example, we highlight the use of the database as a source for an Advisory Ingestion process as part of Continuous Vulnerability Scans.

flowchart TB subgraph Dependency Scanning A[GitLab Advisory Database] end subgraph Container Scanning C[GitLab Advisory Database \n Open Source Edition \n integrated into Trivy] end A --> B{Ingest} C --> B B --> |store| D{{"Cloud Storage \n (NDJSON format)"}} F[\GitLab Instance/] --> |pulls data| D F --> |stores| G[(Relational Database)]

Maintenance

The Vulnerability Research team is responsible for the maintenance and regular updates of the GitLab Advisory Database and the GitLab Advisory Database (Open Source Edition).

Community contributions are accessible in advisories-community via the community-sync flag.

Contributing to the vulnerability database

If you know about a vulnerability that is not listed, you can contribute to the GitLab Advisory Database by either opening an issue or submit the vulnerability.

For more information, see Contribution Guidelines.

License

The GitLab Advisory Database is freely accessible in accordance with the GitLab Advisory Database Terms.