Handle vulnerabilities detected by dependency scanning
A scheduled pipeline runs
dependency_scanning job every night. This job adds new
vulnerabilities to the
Slack notifications tell
#g_distribution on Slack when new
vulnerabilities are detected. Complete the following steps when you receive this notification.
Visit the Omnibus Vulnerability Report and locate the appropriate vulnerability. If the vulnerability is legitimate:
Create Issueto open a confidential issue in the
- Change the vulnerability status to
Confirmed. If the vulnerability turns out to be a false positive, duplicate, or otherwise not actionable, change the status to
Label the issue with the
For Schedulinglabels. The GitLab Security team is then made aware of this issue due to the automation by escalator.
The Security team triages and schedules the issue with the help of Distribution.
If the issue is actionable for us, the Security team:
- Schedules the issue based on its severity and priority.
- Creates the needed merge requests (MRs) to target all relevant branches.
After the MR that fixes the vulnerability has been merged, and the corresponding issue is closed:
- Visit the Omnibus Vulnerability Report.
- Locate the appropriate vulnerability and set the status to
Resolvedif not already done automatically.
If the issue is a no-op for our use case, set its status to
Dismissedin the Vulnerability Report page and close the corresponding issue.