Use Gitlab Security templates for ipoid. Planning to add npm audit template and any others that might apply.
Description
Description
Details
Details
- Due Date
- Dec 29 2023, 6:00 AM
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | kostajh | T337714 Migrate mediawiki/services/ipoid to GitLab | |||
| Open | sbassett | T342177 [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work | |||
| Resolved | mmartorana | T338238 Use Gitlab Security Pipeline for ipoid |
Event Timeline
Comment Actions
Just FYI, we need to address some issues with the GitLab-Application-Security-Pipeline, see: T338034. So there's a chance that some of the security includes might not be completely operational at this point. We hope to have a new, stable version of the security includes tagged soon.
Comment Actions
@kostajh I created a merge request, however since there are vulnerabilities in the project, it won't be able to be merged at this point. The security team can change the security templates so that the security template doesn't cause the pipeline to stop or the project settings can be changed to allow merges without the pipeline passing. The preferred route would be to update the project so that the dependencies are no longer vulnerable. Let me know what you think, the security templates are still in the early phases of being used, so feedback is very welcome.
Comment Actions
mstyles updated https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/8
Update .gitlab-ci.yml file - use nodejs osv security template
Comment Actions
I agree with that. Unfortunately, it seems like we're blocked on T309772: npm audit reports several security issues with Service runner. So I am going to mark this task as stalled, and if/when we fix T309772, we can reopen the MR.
Comment Actions
kharlan closed https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/8
Draft: Update .gitlab-ci.yml file - use nodejs osv security template
Comment Actions
@kostajh alternatively we can continue to use the nodejs osv security template and allow it to fail until T309772 is fixed. I think if we don't use the security template now, it's unlikely to be added lately. It would just be a manual process to skip over the nodejs osv security template until the final fix.
Comment Actions
In my experience, if a CI job doesn't block a build on failure, eventually people stop looking at it, and then it's just adding to build times without providing value for that additional time.
If you, @Tchanders or @STran think that it is useful to add it as a non-blocking job, knowing that it is going to fail until we fix T309772: npm audit reports several security issues with Service runner, I don't have an objection to that.
Comment Actions
mmartorana opened https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/196
Adding Essential Security CI Templates to gitlab-ci.yaml: Generic OSV, NPM Outdated, Semgrep, Secret-seeker
Comment Actions
Hi @kostajh - I have created this merge request, please review it and let me know your thoughts.
As mentioned by @Mstyles earlier, this MR isn't yet mergeable. Please let us know what would be your preferred solution to proceed with the merge. Thanks.
Comment Actions
dreamyjazz merged https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/196
Adding Essential Security CI Templates to gitlab-ci.yaml: Generic OSV, NPM Outdated, Semgrep, Secret-seeker
Comment Actions
kharlan opened https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/205
gitlab-ci: Disable OSV template
Comment Actions
stran merged https://gitlab.wikimedia.org/repos/mediawiki/services/ipoid/-/merge_requests/205
gitlab-ci: Remove security template
Comment Actions
With the resolution of the above issue (T354723#9478839) and adding the osv_dependency_check security include (for now) to iPoid's CI config (MR208), I think we can call this initial task resolved.