Skip to content
代码片段 群组 项目
未验证 提交 2e81909e 编辑于 作者: Russell Dickenson's avatar Russell Dickenson 提交者: GitLab
浏览文件

Merge branch 'add_information_in_regards_to_codechange' into 'master' 

Update documentation to clarify the creation of vulnerabilities via CVS

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166895



Merged-by: default avatarRussell Dickenson <rdickenson@gitlab.com>
Approved-by: default avatarRussell Dickenson <rdickenson@gitlab.com>
Co-authored-by: default avatarZamir Martins Filho <zfilho@gitlab.com>
上级 bb2b84ae 5071316d
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
doc/user/application_security/continuous_vulnerability_scanning/index.md
+ 11
11
浏览文件 @ 2e81909e
...@@ -21,7 +21,7 @@ DETAILS: ...@@ -21,7 +21,7 @@ DETAILS:
Continuous Vulnerability Scanning looks for security vulnerabilities in your project's dependencies by comparing their component names and versions against information in the latest [security advisories](#security-advisories). Continuous Vulnerability Scanning looks for security vulnerabilities in your project's dependencies by comparing their component names and versions against information in the latest [security advisories](#security-advisories).
When [security advisories](#security-advisories) are added or updated, Continuous Vulnerability Scanning triggers a scan on all projects where components with [supported package types](#supported-package-types) exist. If an advisory affects a dependency, Continuous Vulnerability Scanning creates a vulnerability in the project. [New vulnerabilities may arise](#checking-new-vulnerabilities) when Continuous Vulnerability Scanning triggers scans on all projects that contain components with [supported package types](#supported-package-types).
Vulnerabilities created by Continuous Vulnerability Scanning use `GitLab SBoM Vulnerability Scanner` as the scanner name. Vulnerabilities created by Continuous Vulnerability Scanning use `GitLab SBoM Vulnerability Scanner` as the scanner name.
...@@ -32,14 +32,6 @@ In contrast to CI-based security scans, Continuous Vulnerability Scanning is exe ...@@ -32,14 +32,6 @@ In contrast to CI-based security scans, Continuous Vulnerability Scanning is exe
- A project with dependencies [supported](#supported-package-types) by Continuous Vulnerability Scanning. See [how to generate a CycloneDX SBOM report](#how-to-generate-a-cyclonedx-sbom-report). - A project with dependencies [supported](#supported-package-types) by Continuous Vulnerability Scanning. See [how to generate a CycloneDX SBOM report](#how-to-generate-a-cyclonedx-sbom-report).
- [Security advisories](#security-advisories) synchronized to the GitLab instance. - [Security advisories](#security-advisories) synchronized to the GitLab instance.
NOTE:
If a new component is detected and an advisory for it already exists, a vulnerability is **only** created if either of the following are true:
- The component is generated from [dependency scanning related reports](../dependency_scanning/index.md#cyclonedx-software-bill-of-materials).
- The [feature flag](../../../administration/feature_flags.md) `cvs_for_container_scanning` is enabled, and the component is generated from [container scanning related reports](../container_scanning/index.md#cyclonedx-software-bill-of-materials).
Support for this feature can be tracked in [epic 8026](https://gitlab.com/groups/gitlab-org/-/epics/8026).
## Supported package types ## Supported package types
Continuous Vulnerability Scanning supports components with the following [PURL types](https://github.com/package-url/purl-spec/blob/346589846130317464b677bc4eab30bf5040183a/PURL-TYPES.rst): Continuous Vulnerability Scanning supports components with the following [PURL types](https://github.com/package-url/purl-spec/blob/346589846130317464b677bc4eab30bf5040183a/PURL-TYPES.rst):
...@@ -80,8 +72,16 @@ GitLab offers security analyzers that can generate a report [compatible](../../. ...@@ -80,8 +72,16 @@ GitLab offers security analyzers that can generate a report [compatible](../../.
New vulnerabilities detected by Continuous Vulnerability Scanning are visible on the [Vulnerability Report](../vulnerability_report/index.md). New vulnerabilities detected by Continuous Vulnerability Scanning are visible on the [Vulnerability Report](../vulnerability_report/index.md).
However, they are not listed on the [Dependency List](../dependency_list/index.md) or in the pipeline where the affected SBOM component was detected. However, they are not listed on the [Dependency List](../dependency_list/index.md) or in the pipeline where the affected SBOM component was detected.
After a security advisory is published, it might take a few hours before the corresponding vulnerabilities are added to your projects. Only advisories Vulnerabilities are created according to the following scenarios:
published within the last 14 days are considered for Continuous Vulnerability Scanning.
- After a [security advisory](#security-advisories) is added or updated, it may take a few hours for the corresponding vulnerabilities to be added to your projects,
provided the code base remains unchanged. Only advisories published within the last 14 days are considered for Continuous Vulnerability
Scanning.
- For existing [security advisories](#security-advisories), a vulnerability is **only** created if a new component is detected and either of the following conditions are true:
- The component is listed in a CycloneDX SBOM generated by [Dependency Scanning](../dependency_scanning/index.md#cyclonedx-software-bill-of-materials).
- The [feature flag](../../../administration/feature_flags.md) `cvs_for_container_scanning` is enabled, and the component is listed in a CycloneDX SBOM generated by [Container Scanning](../container_scanning/index.md#cyclonedx-software-bill-of-materials).
## When vulnerabilities are no longer detected ## When vulnerabilities are no longer detected
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册