A scheduled pipeline runs
dependency_scanning job nightly, and results in new
vulnerabilities, if any, being added to the
Slack notifications have been configured to inform
#g_distribution when new
vulnerabilities are detected. The steps mentioned below needs to be followed
once such a notification is received:
Visit the Omnibus Vulnerability Report, locate the appropriate vulnerability. If the vulnerability appears to be legitimate, use the
Create Issuebutton to open a confidential issue in the
omnibus-gitlabissue tracker. Additionally, change the vulnerability status to
Confirmed. In the event that it is a false positive, duplicate, or otherwise not actionable please change the status to
Label the issue with the
For Schedulinglabels. The GitLab Security team will be made aware of this issue, thanks to the automation in place by escalator.
Security team, with the help of Distribution, triages the issue and schedules it accordingly.
If the issue is found out to be actionable for us, it goes through the regular scheduling process based on its severity and priority and gets necessary MRs (targeting master and relevant backport stable branches).
Once the MR fixing the vulnerability has been merged and corresponding issue closed, visit the Omnibus Vulnerability Report, locate the appropriate vulnerability and set the status to
Resolvedif not already done automatically.
If the issue is found out to be a no-op for our usecase, set its status to
Dismissedin the Vulnerability Report page and close the corresponding issue.