Handle vulnerabilities detected by dependency scanning

A scheduled pipeline runs dependency_scanning job every night. This job adds new vulnerabilities to the Vulnerability Report.

Slack notifications tell #g_distribution on Slack when new vulnerabilities are detected. Complete the following steps when you receive this notification.

  1. Visit the Omnibus Vulnerability Report and locate the appropriate vulnerability. If the vulnerability is legitimate:

    • Select Create Issue to open a confidential issue in the omnibus-gitlab issue tracker.
    • Change the vulnerability status to Confirmed. If the vulnerability turns out to be a false positive, duplicate, or otherwise not actionable, change the status to Dismiss.
  2. Label the issue with the security and For Scheduling labels. The GitLab Security team is then made aware of this issue due to the automation by escalator.

  3. The Security team triages and schedules the issue with the help of Distribution.

  4. If the issue is actionable for us, the Security team:

    • Schedules the issue based on its severity and priority.
    • Creates the needed merge requests (MRs) to target all relevant branches.
  5. After the MR that fixes the vulnerability has been merged, and the corresponding issue is closed:

    • Visit the Omnibus Vulnerability Report.
    • Locate the appropriate vulnerability and set the status to Resolved if not already done automatically.
  6. If the issue is a no-op for our use case, set its status to Dismissed in the Vulnerability Report page and close the corresponding issue.