Actions needed for customers running older versions of SAST and Gemnasium Dependency analyzer

DevSecOps
1

As surrounding information and the impact of Log4j is continuing to evolve, we encourage customers who have manually configured GitLab SAST or Dependency scanning to a specific older version, to update their GitLab SAST configuration and Gemnasium-Maven configuration. Additionally any customer operating GitLab SAST or Dependency Scanning in an offline environment should manually refresh their downloaded SAST and Dependency Scanning analyzer images following the instructions below.

To start leveraging the latest and patched versions of these analyzers please update your SAST and Dependency Scanning includes in your gitlab-ci.yml file to reference the latest versions. Follow one of the two solutions below to update your SAST and Dependency scanning analyzers:

Recommended solution

We highly encourage customers to leverage our recommended includes which is as simple as the following line in your gitlabci.yml file:

include:
    - template: Security/SAST.gitlab-ci.yml

Replacing your manual configuration with this template includes will automatically leverage the latest version of all GitLab’s SAST analyzers and keep them updated automatically.

The same is true of GitLab Dependency scanning. We highly encourage customers to leverage our recommended Dependency Scanning includes which is as simple as the following line in your gitlabci.yml file:

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml

Alternative solution (major version pinning)

Alternatively, if you have manually set versions for specific reasons we encourage you to update your configurations to specify the latest patched versions of these analyzers, you can do that with the following gitlab-ci.yml code:

pmd-apex-sast:
    variables:
        SAST_ANALYZER_IMAGE_TAG: 2

spotbugs-sast:
    variables:
        SAST_ANALYZER_IMAGE_TAG: 2

Please note that these code changes will force the latest version of both PMD and Spotbugs to run automatically including any minor and patch version updates in the future.

Refreshes for customers operating GitLab in an offline environment

Also note that if you are operating GitLab in an offline environment, you likely need to refresh your own downloaded copy of these affected SAST analyzers, you can do that by following the instructions in our offline documentation.

4 Likes
2

@johncoghlan Thank you for a very detailed post.

We’re managing a team of ~50 developers and it’s difficult to know who uses what in GitLab. Given that we have access to the Gitlab server (self-managed) and the Admin Area, is there a way to check if someone uses these two features that you mentioned from an Admin user perspective?

Our current GitLab version is 13.0.14-ee

Thank you,
Ryan

3

Hi @ryanle,

thanks for asking. You can find the administrative settings in Security Configuration | GitLab

Additionally, you can see the configuration in the .gitlab-ci.yml file in the root of the project.

Cheers,
Michael

4

Thank you for getting back to me so quickly, @dnsmichi

  1. [Security Configuration] I couldn’t find the Security & Compliance in any of the projects from our Gitlab view
  2. [gitlab-ci.yml] None of our projects have this file, we have jobs that get kicked off upon merge request, and all of them are tagged with AutoDevOps.

Also, the minimum requirements for SAST and Dependency Scanning for offline and self-managed environment are

  1. GitLab Runner with the docker or kubernetes executor
  2. A Docker Container Registry with locally copied of SAST analyzer images / Dependency Scanning

Currently, the Docker Container Registry is not configured for our GitLab and we’re on Starter license
Is it safe to say that we don’t have to worry about the Log4j CVE 2021-44228 issue for our case?

I’ve tried to locate the section where it explains how to upgrade these two features but I could not find it…

Thank you,
Ryan

5

Thanks for asking. I’d suggest opening a support ticket as a starter tier customer, and share more details about your setup to verify you are not affected.

6

we are using Gitlab Version v13.12.9-ee, we didn’t enable SAST and Dependency scanning. Are we still impacted by this issue?