Disable DS auto-remediate when FIPS mode (!91705) · Merge requests · GitLab.org / GitLab

Fabien Catteau requested to merge fips-disable-ds-remediate into master Jul 04, 2022

What does this MR do and why?

Disable Dependency Scanning Auto-remediation by setting DS_REMEDIATE to "false" when FIPS mode is enabled.

This implements https://gitlab.com/gitlab-org/gitlab/-/issues/366773+.

Auto-remediation uses yarn upgrade, which is not compatible with FIPS.

Screenshots or screen recordings

When CI_GITLAB_FIPS_MODE is true, DS_REMEDIATE is false, and there's no auto-remediation: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/jobs/2676405227#L22

When CI_GITLAB_FIPS_MODE isn't set, there is auto-remediation: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/jobs/2676405226#L24

How to set up and validate locally

On a GitLab instance where FIPS is enabled,

Create a yarn project that depends on vulnerable packages.
Include the CI template for Dependency Scanning.
Trigger a pipeline.

The pipeline should have a gemnasium-dependency_scanning job, and the analyzer doesn't attempt auto-remediation. There's no failure for yarn upgrade in the log messages of the job.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jul 05, 2022 by Fabien Catteau

Disable DS auto-remediate when FIPS mode

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports