Commit aaa62e9d authored by Fabien Catteau's avatar Fabien Catteau Committed by Matija Čupić

Add DS_IMAGE_SUFFIX to enable Gemnasium FIPS

Add CI variable DS_IMAGE_SUFFIX to the Dependency Scanning CI template.
When DS_IMAGE_SUFFIX is set to "-fips", Dependency Scanning uses
the Docker images of Gemnasium that are based on Red Hat UBI 8,
and that are FIPS-enabled.

Changelog: added
parent a7246ba9
......@@ -579,6 +579,7 @@ The following variables allow configuration of global dependency scanning settin
| `DS_EXCLUDED_ANALYZERS` | Specify the analyzers (by name) to exclude from Dependency Scanning. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
| `DS_DEFAULT_ANALYZERS` | ([**DEPRECATED - use `DS_EXCLUDED_ANALYZERS` instead**](https://gitlab.com/gitlab-org/gitlab/-/issues/287691)) Override the names of the official default images. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
| `DS_EXCLUDED_PATHS` | Exclude files and directories from the scan based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"`. |
| `DS_IMAGE_SUFFIX` | Suffix added to the image name. If set to `-fips`, `FIPS-enabled` images are used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/354796) in GitLab 14.10. |
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `SECURE_LOG_LEVEL` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. Default: `info`. |
......@@ -659,6 +660,40 @@ you can use the `MAVEN_CLI_OPTS` CI/CD variable.
Read more on [how to use private Maven repositories](../index.md#using-private-maven-repositories).
#### FIPS-enabled images
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/354796) in GitLab 14.10.
GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of the Gemnasium images. You can therefore replace standard images with FIPS-enabled images.
To use FIPS-enabled images, set the `DS_IMAGE_SUFFIX` to `-fips`,
and set `DS_EXCLUDED_ANALYZERS` to `bundler-audit, retire.js`
to exclude the analyzers that don't support FIPS.
```yaml
variables:
DS_IMAGE_SUFFIX: "-fips"
DS_EXCLUDED_ANALYZERS: "bundler-audit, retire.js"
```
If you want to execute `bundler-audit` or `retire.js` in your project pipeline, you can override the
Gemnasium scanning jobs, and set `DS_IMAGE_SUFFIX` to `-fips` only for those jobs.
```yaml
gemnasium-dependency_scanning:
variables:
DS_IMAGE_SUFFIX: "-fips"
gemnasium-maven-dependency_scanning:
variables:
DS_IMAGE_SUFFIX: "-fips"
gemnasium-python-dependency_scanning:
variables:
DS_IMAGE_SUFFIX: "-fips"
```
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
......
......@@ -32,6 +32,16 @@ dependency_scanning:
.ds-analyzer:
extends: dependency_scanning
allow_failure: true
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
# DS_ANALYZER_NAME is an undocumented variable used in job definitions
# to inject the analyzer name in the image name.
DS_ANALYZER_NAME: ""
image:
name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
# `rules` must be overridden explicitly by each child job
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
script:
......@@ -46,13 +56,8 @@ gemnasium-dependency_scanning:
extends:
- .ds-analyzer
- .cyclone-dx-reports
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "gemnasium"
GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
......@@ -77,13 +82,8 @@ gemnasium-maven-dependency_scanning:
extends:
- .ds-analyzer
- .cyclone-dx-reports
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "gemnasium-maven"
# Stop reporting Gradle as "maven".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
......@@ -105,13 +105,8 @@ gemnasium-python-dependency_scanning:
extends:
- .ds-analyzer
- .cyclone-dx-reports
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "gemnasium-python"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
......@@ -138,13 +133,8 @@ gemnasium-python-dependency_scanning:
bundler-audit-dependency_scanning:
extends: .ds-analyzer
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "bundler-audit"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
......@@ -158,13 +148,8 @@ bundler-audit-dependency_scanning:
retire-js-dependency_scanning:
extends: .ds-analyzer
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
DS_ANALYZER_NAME: "retire.js"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment