Actions needed for customers running older versions of SAST and Gemnasium Dependency analyzer

johncoghlan · December 15, 2021, 1:01am

As surrounding information and the impact of Log4j is continuing to evolve, we encourage customers who have manually configured GitLab SAST or Dependency scanning to a specific older version, to update their GitLab SAST configuration and Gemnasium-Maven configuration. Additionally any customer operating GitLab SAST or Dependency Scanning in an offline environment should manually refresh their downloaded SAST and Dependency Scanning analyzer images following the instructions below.

To start leveraging the latest and patched versions of these analyzers please update your SAST and Dependency Scanning includes in your gitlab-ci.yml file to reference the latest versions. Follow one of the two solutions below to update your SAST and Dependency scanning analyzers:

Alternative solution (major version pinning)

Alternatively, if you have manually set versions for specific reasons we encourage you to update your configurations to specify the latest patched versions of these analyzers, you can do that with the following gitlab-ci.yml code:

pmd-apex-sast:
    variables:
        SAST_ANALYZER_IMAGE_TAG: 2

spotbugs-sast:
    variables:
        SAST_ANALYZER_IMAGE_TAG: 2

Please note that these code changes will force the latest version of both PMD and Spotbugs to run automatically including any minor and patch version updates in the future.

Refreshes for customers operating GitLab in an offline environment

Also note that if you are operating GitLab in an offline environment, you likely need to refresh your own downloaded copy of these affected SAST analyzers, you can do that by following the instructions in our offline documentation.

ryanle · December 16, 2021, 4:31pm

@johncoghlan Thank you for a very detailed post.

We’re managing a team of ~50 developers and it’s difficult to know who uses what in GitLab. Given that we have access to the Gitlab server (self-managed) and the Admin Area, is there a way to check if someone uses these two features that you mentioned from an Admin user perspective?

Our current GitLab version is 13.0.14-ee

Thank you,
Ryan

dnsmichi · December 16, 2021, 6:03pm

Hi @ryanle,

thanks for asking. You can find the administrative settings in Security Configuration | GitLab

Additionally, you can see the configuration in the .gitlab-ci.yml file in the root of the project.

Cheers,
Michael

ryanle · December 17, 2021, 2:01am

Thank you for getting back to me so quickly, @dnsmichi

[Security Configuration] I couldn’t find the Security & Compliance in any of the projects from our Gitlab view
[gitlab-ci.yml] None of our projects have this file, we have jobs that get kicked off upon merge request, and all of them are tagged with AutoDevOps.

Also, the minimum requirements for SAST and Dependency Scanning for offline and self-managed environment are

GitLab Runner with the docker or kubernetes executor
A Docker Container Registry with locally copied of SAST analyzer images / Dependency Scanning

Currently, the Docker Container Registry is not configured for our GitLab and we’re on Starter license
Is it safe to say that we don’t have to worry about the Log4j CVE 2021-44228 issue for our case?

I’ve tried to locate the section where it explains how to upgrade these two features but I could not find it…

Thank you,
Ryan

dnsmichi · December 17, 2021, 4:48pm

Thanks for asking. I’d suggest opening a support ticket as a starter tier customer, and share more details about your setup to verify you are not affected.

johnson.thangaswami · December 18, 2021, 6:58pm

we are using Gitlab Version v13.12.9-ee, we didn’t enable SAST and Dependency scanning. Are we still impacted by this issue?

Actions needed for customers running older versions of SAST and Gemnasium Dependency analyzer

Recommended solution

Alternative solution (major version pinning)

Refreshes for customers operating GitLab in an offline environment