Add DS_IMAGE_SUFFIX to enable Gemnasium FIPS

Add CI variable DS_IMAGE_SUFFIX to the Dependency Scanning CI template. When DS_IMAGE_SUFFIX is set to "-fips", Dependency Scanning uses the Docker images of Gemnasium that are based on Red Hat UBI 8, and that are FIPS-enabled. Changelog: added

Add DS_IMAGE_SUFFIX to enable Gemnasium FIPS
Add CI variable DS_IMAGE_SUFFIX to the Dependency Scanning CI template. When DS_IMAGE_SUFFIX is set to "-fips", Dependency Scanning uses the Docker images of Gemnasium that are based on Red Hat UBI 8, and that are FIPS-enabled. Changelog: added
aaa62e9d · Fabien Catteau · Matija Čupić · a7246ba9 · aaa62e9d · aaa62e9d
Commit aaa62e9d authored Apr 15, 2022 by Fabien Catteau Committed by Matija Čupić Apr 15, 2022
2 changed files
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -579,6 +579,7 @@ The following variables allow configuration of global dependency scanning settin
 | `DS_EXCLUDED_ANALYZERS`      | Specify the analyzers (by name) to exclude from Dependency Scanning. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
 | `DS_DEFAULT_ANALYZERS`      | ([**DEPRECATED - use `DS_EXCLUDED_ANALYZERS` instead**](https://gitlab.com/gitlab-org/gitlab/-/issues/287691)) Override the names of the official default images. For more information, see [Dependency Scanning Analyzers](analyzers.md). |
 | `DS_EXCLUDED_PATHS`         | Exclude files and directories from the scan based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"`. |
+| `DS_IMAGE_SUFFIX`           | Suffix added to the image name. If set to `-fips`, `FIPS-enabled` images are used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/354796) in GitLab 14.10. |
 | `SECURE_ANALYZERS_PREFIX`   | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
 | `SECURE_LOG_LEVEL`          | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. Default: `info`. |

@@ -659,6 +660,40 @@ you can use the `MAVEN_CLI_OPTS` CI/CD variable.

 Read more on [how to use private Maven repositories](../index.md#using-private-maven-repositories).

+#### FIPS-enabled images
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/354796) in GitLab 14.10.
+
+GitLab also offers [FIPS-enabled Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
+versions of the Gemnasium images. You can therefore replace standard images with FIPS-enabled images.
+
+To use FIPS-enabled images, set the `DS_IMAGE_SUFFIX` to `-fips`,
+and set `DS_EXCLUDED_ANALYZERS` to `bundler-audit, retire.js`
+to exclude the analyzers that don't support FIPS.
+
+```yaml
+variables:
+  DS_IMAGE_SUFFIX: "-fips"
+  DS_EXCLUDED_ANALYZERS: "bundler-audit, retire.js"
+```
+
+If you want to execute `bundler-audit` or `retire.js` in your project pipeline, you can override the
+Gemnasium scanning jobs, and set `DS_IMAGE_SUFFIX` to `-fips` only for those jobs.
+
+```yaml
+gemnasium-dependency_scanning:
+  variables:
+    DS_IMAGE_SUFFIX: "-fips"
+
+gemnasium-maven-dependency_scanning:
+  variables:
+    DS_IMAGE_SUFFIX: "-fips"
+
+gemnasium-python-dependency_scanning:
+  variables:
+    DS_IMAGE_SUFFIX: "-fips"
+```
+
 ## Interacting with the vulnerabilities

 Once a vulnerability is found, you can interact with it. Read more on how to

--- a/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
@@ -32,6 +32,16 @@ dependency_scanning:
 .ds-analyzer:
  extends: dependency_scanning
  allow_failure: true
+  variables:
+    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
+    # override the analyzer image with a custom value. This may be subject to change or
+    # breakage across GitLab releases.
+    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
+    # DS_ANALYZER_NAME is an undocumented variable used in job definitions
+    # to inject the analyzer name in the image name.
+    DS_ANALYZER_NAME: ""
+  image:
+    name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  script:
@@ -46,13 +56,8 @@ gemnasium-dependency_scanning:
  extends:
    - .ds-analyzer
    - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium"
    GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
@@ -77,13 +82,8 @@ gemnasium-maven-dependency_scanning:
  extends:
    - .ds-analyzer
    - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium-maven"
    # Stop reporting Gradle as "maven".
    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
    DS_REPORT_PACKAGE_MANAGER_MAVEN_WHEN_JAVA: "false"
@@ -105,13 +105,8 @@ gemnasium-python-dependency_scanning:
  extends:
    - .ds-analyzer
    - .cyclone-dx-reports
-  image:
-    name: "$DS_ANALYZER_IMAGE"
  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "gemnasium-python"
    # Stop reporting Pipenv and Setuptools as "pip".
    # See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
    DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
@@ -138,13 +133,8 @@ gemnasium-python-dependency_scanning:

 bundler-audit-dependency_scanning:
  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "bundler-audit"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
@@ -158,13 +148,8 @@ bundler-audit-dependency_scanning:

 retire-js-dependency_scanning:
  extends: .ds-analyzer
-  image:
-    name: "$DS_ANALYZER_IMAGE"
  variables:
-    # DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
+    DS_ANALYZER_NAME: "retire.js"
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never