| stage | group | info |
|---|---|---|
Secure |
Vulnerability Research |
To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments |
The GitLab Advisory Database serves as a repository for security advisories related to software dependencies. It is updated on an hourly basis with the latest security advisories.
The database is an essential component of both Dependency Scanning and Container Scanning.
A free and open-source version of the GitLab Advisory Database is also available as GitLab Advisory Database (Open Source Edition). However, there is a 30-day delay in updates.
In our advisories, we adopt standardized practices to effectively communicate vulnerabilities and their impact.
To view the database content, go to the GitLab Advisory Database home page. On the home page you can:
- Search the database, by identifier, package name, and description.
- View advisories that were added recently.
- View statistical information, including coverage and update frequency.
Each advisory has a page with the following details:
- Identifiers: Public identifiers. For example, CVE ID, GHSA ID, or the GitLab internal ID (
GMS-<year>-<nr>). - Package Slug: Package type and package name separated by a slash.
- Vulnerability: A short description of the security flaw.
- Description: A detailed description of the security flaw and potential risks.
- Affected Versions: The affected versions.
- Solution: How to remediate the vulnerability.
- Last Modified: The date when the advisory was last modified.
GitLab provides a free and open-source version of the database, the GitLab Advisory Database (Open Source Edition).
The open-source version is a time-delayed clone of the GitLab Advisory Database, MIT-licensed and contains all advisories from the GitLab Advisory Database that are older than 30 days or with the community-sync flag.
- Dependency Scanning
- Container Scanning
- Third-party tools
NOTE: GitLab Advisory Database Terms prohibit the use of data contained in the GitLab Advisory Database by third-party tools. Third-party integrators can use the MIT-licensed, time-delayed repository clone instead.
As an example, we highlight the use of the database as a source for an Advisory Ingestion process as part of Continuous Vulnerability Scans.
%%{init: { "fontFamily": "GitLab Sans" }}%%
flowchart TB
accTitle: Advisory ingestion process
accDescr: Sequence of actions that make up the advisory ingestion process.
subgraph Dependency Scanning
A[GitLab Advisory Database]
end
subgraph Container Scanning
C[GitLab Advisory Database \n Open Source Edition \n integrated into Trivy]
end
A --> B{Ingest}
C --> B
B --> |store| D{{"Cloud Storage \n (NDJSON format)"}}
F[\GitLab Instance/] --> |pulls data| D
F --> |stores| G[(Relational Database)]
The Vulnerability Research team is responsible for the maintenance and regular updates of the GitLab Advisory Database and the GitLab Advisory Database (Open Source Edition).
Community contributions are accessible in advisories-community via the community-sync flag.
If you know about a vulnerability that is not listed, you can contribute to the GitLab Advisory Database by either opening an issue or submit the vulnerability.
For more information, see Contribution Guidelines.
The GitLab Advisory Database is freely accessible in accordance with the GitLab Advisory Database Terms.