Commit 00c08cc5 authored by Mark Florian's avatar Mark Florian Committed by Evan Read

Update/expand docs for the Dependency List

These changes align the docs with the features introduced in [1].

See also the [issue tracking the documentation changes][2].

[1]: https://gitlab.com/gitlab-org/gitlab-ee/issues/10077
[2]: https://gitlab.com/gitlab-org/gitlab-ee/issues/12986
parent ee9f0bb7
...@@ -354,6 +354,7 @@ The following documentation relates to the DevOps **Secure** stage: ...@@ -354,6 +354,7 @@ The following documentation relates to the DevOps **Secure** stage:
| Secure Topics | Description | | Secure Topics | Description |
|:------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------| |:------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](user/application_security/container_scanning/index.md) **(ULTIMATE)** | Use Clair to scan docker images for known vulnerabilities. | | [Container Scanning](user/application_security/container_scanning/index.md) **(ULTIMATE)** | Use Clair to scan docker images for known vulnerabilities. |
| [Dependency List](user/application_security/dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. |
| [Dependency Scanning](user/application_security/dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. | | [Dependency Scanning](user/application_security/dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](user/application_security/dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. | | [Dynamic Application Security Testing (DAST)](user/application_security/dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. |
| [Group Security Dashboard](user/application_security/security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all the projects in a group and its subgroups. | | [Group Security Dashboard](user/application_security/security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all the projects in a group and its subgroups. |
......
...@@ -11,7 +11,7 @@ Every call to this endpoint requires authentication. To perform this call, user ...@@ -11,7 +11,7 @@ Every call to this endpoint requires authentication. To perform this call, user
## List project dependencies ## List project dependencies
Get a list of project dependencies. This API partially mirroring Get a list of project dependencies. This API partially mirroring
[Dependency List](../user/application_security/dependency_scanning/index.md#dependency-list) feature. [Dependency List](../user/application_security/dependency_list/index.md) feature.
This list can be generated only for [languages and package managers](../user/application_security/dependency_scanning/index.md#supported-languages-and-package-managers) This list can be generated only for [languages and package managers](../user/application_security/dependency_scanning/index.md#supported-languages-and-package-managers)
supported by Gemnasium. supported by Gemnasium.
......
# Dependency List **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/10075) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0.
The Dependency list allows you to see your project's dependencies, and key
details about them, including their known vulnerabilities. To see it,
navigate to **Security & Compliance > Dependency List** in your project's
sidebar.
## Requirements
1. The [Dependency Scanning](../dependency_scanning/index.md) CI job must be
configured for your project.
1. Your project uses at least one of the
[languages and package managers](../dependency_scanning/index.md#supported-languages-and-package-managers)
supported by Gemnasium.
## Viewing dependencies
![Dependency List](img/dependency_list_v12_2.png)
Dependencies are displayed with the following information:
| Field | Description |
| --------- | ----------- |
| Status | Displays whether or not the dependency has any known vulnerabilities |
| Component | The dependency's name |
| Version | The exact locked version of the dependency your project uses |
| Packager | The packager used to install the depedency |
| Location | A link to the packager-specific lockfile in your project that declared the dependency |
Dependencies shown are initially sorted by their names. They can also be sorted
by the packager they were installed by, or by the severity of their known
vulnerabilities.
There is a second list under the `Vulnerable components` tab displaying only
those dependencies with known vulnerabilities. If there are none, this tab is
disabled.
### Vulnerabilities
If a dependency has known vulnerabilities, they can be viewed by clicking on the
`Status` cell of that dependency. The severity and description of each
vulnerability will then be displayed below it.
## Downloading the Dependency List
Your project's full list of dependencies and their details can be downloaded in
`JSON` format by clicking on the download button.
...@@ -327,16 +327,11 @@ Once a vulnerability is found, you can interact with it. Read more on how to ...@@ -327,16 +327,11 @@ Once a vulnerability is found, you can interact with it. Read more on how to
For more information about the vulnerabilities database update, check the For more information about the vulnerabilities database update, check the
[maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database). [maintenance table](../index.md#maintenance-and-update-of-the-vulnerabilities-database).
## Dependency List ## Dependency List **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/10075) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.0. An additional benefit of Dependency Scanning is the ability to view your
project's dependencies and their known vulnerabilities. Read more about
An additional benefit of Dependency Scanning is the ability to get a list of your the [Dependency List](../dependency_list/index.md).
project's dependencies with their versions. This list can be generated only for
[languages and package managers](#supported-languages-and-package-managers)
supported by Gemnasium.
To see the generated dependency list, navigate to your project's **Security & Compliance > Dependency List**.
## Versioning and release process ## Versioning and release process
......
...@@ -25,6 +25,7 @@ GitLab can scan and report any vulnerabilities found in your project. ...@@ -25,6 +25,7 @@ GitLab can scan and report any vulnerabilities found in your project.
| Secure scanning tool | Description | | Secure scanning tool | Description |
|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------| |:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. | | [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. |
| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. |
| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. | | [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. | | [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. |
| [License Management](license_management/index.md) **(ULTIMATE)** | Search your project's dependencies for their licenses. | | [License Management](license_management/index.md) **(ULTIMATE)** | Search your project's dependencies for their licenses. |
......
...@@ -99,6 +99,7 @@ When you create a project in GitLab, you'll have access to a large number of ...@@ -99,6 +99,7 @@ When you create a project in GitLab, you'll have access to a large number of
- [NPM packages](packages/npm_registry.md): your private NPM package registry in GitLab. **(PREMIUM)** - [NPM packages](packages/npm_registry.md): your private NPM package registry in GitLab. **(PREMIUM)**
- [Code owners](code_owners.md): specify code owners for certain files **(STARTER)** - [Code owners](code_owners.md): specify code owners for certain files **(STARTER)**
- [License Management](../application_security/license_management/index.md): approve and blacklist licenses for projects. **(ULTIMATE)** - [License Management](../application_security/license_management/index.md): approve and blacklist licenses for projects. **(ULTIMATE)**
- [Dependency List](../application_security/dependency_list/index.md): view project dependencies. **(ULTIMATE)**
### Project integrations ### Project integrations
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment