Air-gapped (offline) support for gemnasium analyzer (Dependency Scanning)
Problem to solve
Our gemnasium analyzer currently requires internet connectivity to run using standard configuration. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.
Intended users
Further details
Proposal
We need to change the Client in order to switch to a git clone/checkout of gemnasium-db instead of connecting to the Gemnasium API.
gemnasium-python and gemnasium-maven would directly benefit from the change after upgrading the gemnasium/v2
dependency in their respective Go modules.
We also need to exhaustively test each supported languages to make sure all requirements of the corresponding analyzers are met
Language (package manager) | analyzer | air-gap support |
---|---|---|
Java (Gradle) | gemnasium-maven |
|
Java (Maven) | gemnasium-maven |
|
JavaScript (npm) | gemnasium | |
JavaScript (yarn) | gemnasium | |
PHP (Composer) | gemnasium |
|
Python (pip) | gemnasium-python |
|
Python (setuptools) | gemnasium-python |
|
Python (pipenv) | gemnasium-python |
|
Python (Pipfile.lock) | not available | |
Python (poetry) | not available | |
Ruby (gem) | gemnasium, bundler-audit |
|
Scala (sbt) | gemnasium |
|
Go (Go Modules) | gemnasium |
|
Permissions and Security
Documentation
-
Make it explicit in the dependency scanning documentation https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html about air-gapped support and how to set it up.Outside of the scope of this issue - documentation to be handled in a separate issue Document air-gapped (offline) Dependency Scanning for on-prem instances -
Document the changes introduced by this issue in the dependency scanning documentation. See !25883 (merged) for details
Testing
TODO: if not already done, define a proper way to test the air-gapped environment, share it in the parent epic &1359 (closed) and try to reuse it across all similar issues as much as possible.
What does success look like, and how can we measure that?
Gemnasium analyzer is able to scan a project in an air-gapped environment.
What is the type of buyer?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.