Merge branch '331050-make-trivy-the-default-container-scanning-analyzer' into 'master'

Replace klar with container-scanning See merge request gitlab-org/gitlab!61850

Merge branch '331050-make-trivy-the-default-container-scanning-analyzer' into 'master'
Replace klar with container-scanning See merge request gitlab-org/gitlab!61850
6faa1fe1 · charlie ablett · 4cb3eace · d3985e67 · 6faa1fe1 · 6faa1fe1
Commit 6faa1fe1 authored May 27, 2021 by charlie ablett
7 changed files
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
--- a/doc/user/application_security/offline_deployments/index.md
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -129,6 +129,10 @@ This method requires a runner with access to both `gitlab.com` (including
 to be able to use the `docker` command inside the jobs. This runner can be installed in a DMZ or on
 a bastion, and used only for this specific project.
+WARNING:
+This template does not include updates for the container scanning analyzer. Please see
+[Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment).
 #### Scheduling the updates
 By default, this project's pipeline runs only once, when the `.gitlab-ci.yml` is added to the
@@ -136,12 +140,6 @@ repository. To update the GitLab security scanners and signatures, it's necessar
 regularly. GitLab provides a way to [schedule pipelines](../../../ci/pipelines/schedules.md). For
 example, you can set this up to download and store the Docker images every week.
-Some images can be updated more frequently than others. For example, the [vulnerability database](https://hub.docker.com/r/arminc/clair-db/tags)
-for Container Scanning is updated daily. To update this single image, create a new Scheduled
-Pipeline that runs daily and set `SECURE_BINARIES_ANALYZERS` to `clair-vulnerabilities-db`. Only
-this job is triggered, and the image is updated daily and made available in the project
-registry.
 #### Using the secure bundle created
 The project using the `Secure-Binaries.gitlab-ci.yml` template should now host all the required

--- a/doc/user/application_security/vulnerabilities/index.md
+++ b/doc/user/application_security/vulnerabilities/index.md
@@ -186,7 +186,7 @@ The following vulnerability scanners and their databases are regularly updated:
 | Secure scanning tool                                            | Vulnerabilities database updates |
 |:----------------------------------------------------------------|----------------------------------|
-| [Container Scanning](../container_scanning/index.md)            | Uses either `trivy` or `clair`. For the `trivy` scanner, a job runs on a daily basis to build a new image with the latest vulnerability database updates from the [upstream `trivy-db`](https://github.com/aquasecurity/trivy-db). For the `clair` scanner, the latest `clair-db` version is used; `clair-db` database [is updated daily according to the author](https://github.com/arminc/clair-local-scan#clair-server-or-local). |
+| [Container Scanning](../container_scanning/index.md)            | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. |
 | [Dependency Scanning](../dependency_scanning/index.md)          | Relies on `bundler-audit` (for Ruby gems), `retire.js` (for npm packages), and `gemnasium` (the GitLab tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. See our [current measurement of time from CVE being issued to our product being updated](https://about.gitlab.com/handbook/engineering/development/performance-indicators/#cve-issue-to-update). |
 | [Dynamic Application Security Testing (DAST)](../dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/master/Dockerfile#L1). The scanning rules are downloaded at scan runtime. |
 | [Static Application Security Testing (SAST)](../sast/index.md)  | Relies exclusively on [the tools GitLab wraps](../sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |

--- a/doc/user/application_security/vulnerabilities/severities.md
+++ b/doc/user/application_security/vulnerabilities/severities.md
@@ -62,10 +62,9 @@ the following tables:
 ## Container Scanning
-| GitLab scanner                                                        | Outputs severity levels? | Native severity level type | Native severity level example                                |
+| GitLab analyzer                                                        | Outputs severity levels? | Native severity level type | Native severity level example                                |
 |------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------|
-| [`clair`](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes   | String                     | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` |
+| [`container-scanning`](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)| **{check-circle}** Yes | String | `Unknown`, `Low`, `Medium`, `High`, `Critical` |
-| [`trivy`](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)| **{check-circle}** Yes | String | `Unknown`, `Low`, `Medium`, `High`, `Critical` |
 ## Fuzz Testing

--- a/ee/spec/lib/gitlab/ci/templates/container_scanning_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/container_scanning_gitlab_ci_yaml_spec.rb
@@ -47,7 +47,7 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do
        end
        it 'includes job' do
-          expect(build_names).to match_array(%w[container_scanning_new])
+          expect(build_names).to match_array(%w[container_scanning])
        end
      end

--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
 # Use this template to enable container scanning in your project.
-# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:` keyword.
+# You should add this template to an existing `.gitlab-ci.yml` file by using the `include:`
+# keyword.
 # The template should work without modifications but you can customize the template settings if
 # needed: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
 #
 # Requirements:
+# - A `test` stage to be present in the pipeline.
 # - You must define the image to be scanned in the DOCKER_IMAGE variable. If DOCKER_IMAGE is the
 #   same as $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG, you can skip this.
-# - Container registry credentials defined by `DOCKER_USER` and `DOCKER_PASSWORD` variables if the image to be scanned is in a private registry.
+# - Container registry credentials defined by `DOCKER_USER` and `DOCKER_PASSWORD` variables if the
+# image to be scanned is in a private registry.
 # - For auto-remediation, a readable Dockerfile in the root of the project or as defined by the
 #   DOCKERFILE_PATH variable.
 #
@@ -14,59 +17,27 @@
 # List of available variables: https://docs.gitlab.com/ee/user/application_security/container_scanning/#available-variables
 variables:
-  # Setting this variable will affect all Security templates (e.g.: SAST, Dependency Scanning)
+  CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:4
-  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-  CS_MAJOR_VERSION: 3  # The major version of the analyzer image to be used for scanning
-.cs_common:
+container_scanning:
-  stage: test
  image: "$CS_ANALYZER_IMAGE"
+  stage: test
  variables:
-    # Override the GIT_STRATEGY variable in your `.gitlab-ci.yml` file and set it to `fetch` if you want to provide a `clair-whitelist.yml`
+    # To provide a `vulnerability-allowlist.yml` file, override the GIT_STRATEGY variable in your
-    # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+    # `.gitlab-ci.yml` file and set it to `fetch`.
-    # for details
+    # For details, see the following links:
+    # https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
+    # https://docs.gitlab.com/ee/user/application_security/container_scanning/#vulnerability-allowlisting
    GIT_STRATEGY: none
-    # CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/$CS_PROJECT:$CS_MAJOR_VERSION
  allow_failure: true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
+    paths: [gl-container-scanning-report.json]
  dependencies: []
-container_scanning:
-  extends: .cs_common
-  variables:
-    # By default, use the latest clair vulnerabilities database, however, allow it to be overridden here with a specific image
-    # to enable container scanning to run offline, or to provide a consistent list of vulnerabilities for integration testing purposes
-    CLAIR_DB_IMAGE_TAG: "latest"
-    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
-    CS_PROJECT: 'klar'
-  services:
-    - name: $CLAIR_DB_IMAGE
-      alias: clair-vulnerabilities-db
-  script:
-    - /analyzer run
-  rules:
-    - if: $CONTAINER_SCANNING_DISABLED
-      when: never
-    - if: $CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
-          $CS_MAJOR_VERSION =~ /^[0-3]$/
-container_scanning_new:
-  extends: .cs_common
-  variables:
-    CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning:4
  script:
    - gtcs scan
-  artifacts:
-    paths: [gl-container-scanning-report.json]
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
-    - if: $CI_COMMIT_BRANCH &&
+    - if: $GITLAB_FEATURES =~ /\bcontainer_scanning\b/
-          $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ &&
-          $CS_MAJOR_VERSION !~ /^[0-3]$/
--- a/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
@@ -15,7 +15,6 @@ variables:
  SECURE_BINARIES_ANALYZERS: >-
    bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
    bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
-    klar, clair-vulnerabilities-db,
    license-finder,
    dast, api-fuzzing
@@ -161,28 +160,6 @@ kubesec:
    variables:
      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
          $SECURE_BINARIES_ANALYZERS =~ /\bkubesec\b/
-#
-# Container Scanning jobs
-#
-klar:
-  extends: .download_images
-  only:
-    variables:
-      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
-          $SECURE_BINARIES_ANALYZERS =~ /\bklar\b/
-  variables:
-    SECURE_BINARIES_ANALYZER_VERSION: "3"
-clair-vulnerabilities-db:
-  extends: .download_images
-  only:
-    variables:
-      - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
-          $SECURE_BINARIES_ANALYZERS =~ /\bclair-vulnerabilities-db\b/
-  variables:
-    SECURE_BINARIES_IMAGE: arminc/clair-db
-    SECURE_BINARIES_ANALYZER_VERSION: latest
 #
 # Dependency Scanning jobs