From 58a25d9ac5c06bbff345008e4fcd9af3e1bf0d43 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Sun, 19 Oct 2025 10:52:55 +0300 Subject: [PATCH 01/11] Fix java version in history --- .../dependency_scanning/static_reachability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 35e5e784ddc30c..5be75c7c2b8582 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -18,7 +18,7 @@ title: Static reachability analysis - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14177) as an [experiment](../../../policy/development_stages_support.md) in GitLab 17.5. - [Changed](https://gitlab.com/groups/gitlab-org/-/epics/15781) from experiment to beta in GitLab 17.11. - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/502334) support for JavaScript and TypeScript in GitLab 18.2 and Dependency Scanning Analyzer v0.32.0. -- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/17607) support for Java in GitLab 18.5 and Dependency Scanning Analyzer v0.35.0. +- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/17607) support for Java in GitLab 18.5 and Dependency Scanning Analyzer v0.39.0. - [Changed](https://gitlab.com/groups/gitlab-org/-/epics/15780) from beta to Limited Availability (LA) in GitLab 18.5. {{< /history >}} @@ -41,7 +41,7 @@ Prerequisites: - Ensure the project uses [supported languages and package managers](#supported-languages-and-package-managers). - [Dependency scanning analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning) - version 0.32.0 and later. + version 0.39.0 and later. - Enable [Dependency scanning by using SBOM](dependency_scanning_sbom/_index.md#getting-started). [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) analyzers are not supported. -- GitLab From 8e40fb8436600f32068d3b554f411f024a02363b Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Mon, 20 Oct 2025 08:58:26 +0300 Subject: [PATCH 02/11] Document SRA behavior - excluded paths --- .../dependency_scanning/static_reachability.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 5be75c7c2b8582..0a623b3f5f29d5 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -116,9 +116,16 @@ dismissing it, as SRA cannot always definitively determine package usage. Not Available : SRA was not executed, so no reachability data exists. -When a direct dependency is marked as in use, all its transitive dependencies are also marked as +**Note:** When a direct dependency is marked as in use, all its transitive dependencies are also marked as in use. +**Note:** Dependencies in excluded directories (paths matching `DS_EXCLUDED_PATHS`) might appear in the SBOM but be +marked as **Not Found**. This occurs when lock files are located outside excluded directories (for example, at the +project root) but the source code that uses those dependencies is inside excluded directories (for example, `tests/`). +Dependency scanning includes all dependencies from the lock file in the SBOM, but SRA only scans source code in +non-excluded paths. +This is expected behavior and helps focus security scanning on production code while excluding test dependencies. + ## Supported languages and package managers Static reachability analysis is available for Python, JavaScript, TypeScript, and Java projects. -- GitLab From d1030d1dfb7af49d02debaa71aba890f16c77482 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Mon, 20 Oct 2025 09:05:56 +0300 Subject: [PATCH 03/11] Revert non related changes --- .../dependency_scanning/static_reachability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 0a623b3f5f29d5..490d19b84a8751 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -18,7 +18,7 @@ title: Static reachability analysis - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14177) as an [experiment](../../../policy/development_stages_support.md) in GitLab 17.5. - [Changed](https://gitlab.com/groups/gitlab-org/-/epics/15781) from experiment to beta in GitLab 17.11. - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/502334) support for JavaScript and TypeScript in GitLab 18.2 and Dependency Scanning Analyzer v0.32.0. -- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/17607) support for Java in GitLab 18.5 and Dependency Scanning Analyzer v0.39.0. +- [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/17607) support for Java in GitLab 18.5 and Dependency Scanning Analyzer v0.35.0. - [Changed](https://gitlab.com/groups/gitlab-org/-/epics/15780) from beta to Limited Availability (LA) in GitLab 18.5. {{< /history >}} @@ -41,7 +41,7 @@ Prerequisites: - Ensure the project uses [supported languages and package managers](#supported-languages-and-package-managers). - [Dependency scanning analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning) - version 0.39.0 and later. + version 0.35.0 and later. - Enable [Dependency scanning by using SBOM](dependency_scanning_sbom/_index.md#getting-started). [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) analyzers are not supported. -- GitLab From 23959641d4d0755df835e2f104c31ac0be132e4d Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Mon, 20 Oct 2025 09:07:46 +0300 Subject: [PATCH 04/11] Apply 1 suggestion(s) to 1 file(s) --- .../dependency_scanning/static_reachability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 490d19b84a8751..8c9787fe4bc8b0 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -41,7 +41,7 @@ Prerequisites: - Ensure the project uses [supported languages and package managers](#supported-languages-and-package-managers). - [Dependency scanning analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/dependency-scanning) - version 0.35.0 and later. + version 0.32.0 and later. - Enable [Dependency scanning by using SBOM](dependency_scanning_sbom/_index.md#getting-started). [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) analyzers are not supported. -- GitLab From 1d33ff8666af18021ca34c4397a6201dba5fcd94 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Mon, 20 Oct 2025 09:32:04 +0300 Subject: [PATCH 05/11] Apply 1 suggestion(s) to 1 file(s) --- .../dependency_scanning/static_reachability.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 8c9787fe4bc8b0..08c599a4ae5705 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -124,7 +124,6 @@ marked as **Not Found**. This occurs when lock files are located outside exclude project root) but the source code that uses those dependencies is inside excluded directories (for example, `tests/`). Dependency scanning includes all dependencies from the lock file in the SBOM, but SRA only scans source code in non-excluded paths. -This is expected behavior and helps focus security scanning on production code while excluding test dependencies. ## Supported languages and package managers -- GitLab From 6be39a6643e0a2e0c5be39edaffd322629f611ac Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Mon, 20 Oct 2025 10:08:39 +0300 Subject: [PATCH 06/11] Edit static_reachability.md --- .../dependency_scanning/static_reachability.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 08c599a4ae5705..f578dba604cd9c 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -116,14 +116,15 @@ dismissing it, as SRA cannot always definitively determine package usage. Not Available : SRA was not executed, so no reachability data exists. -**Note:** When a direct dependency is marked as in use, all its transitive dependencies are also marked as +> [!note] +> When a direct dependency is marked as in use, all its transitive dependencies are also marked as in use. -**Note:** Dependencies in excluded directories (paths matching `DS_EXCLUDED_PATHS`) might appear in the SBOM but be -marked as **Not Found**. This occurs when lock files are located outside excluded directories (for example, at the -project root) but the source code that uses those dependencies is inside excluded directories (for example, `tests/`). -Dependency scanning includes all dependencies from the lock file in the SBOM, but SRA only scans source code in -non-excluded paths. +> [!note] +> Dependencies in excluded directories (paths matching `DS_EXCLUDED_PATHS`) might appear in the SBOM but be marked as **Not Found**. +This occurs when lock files are located outside excluded directories (for example, at the project root) but the source code that uses +those dependencies is inside excluded directories (for example, `tests/`). Dependency scanning includes all dependencies from the lock +file in the SBOM, but SRA only scans source code in non-excluded paths. ## Supported languages and package managers -- GitLab From d68f61500a3136f537eef9d992490952d058f540 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Mon, 20 Oct 2025 11:22:21 +0300 Subject: [PATCH 07/11] Lint --- .../dependency_scanning/static_reachability.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index f578dba604cd9c..f02f921e1bd196 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -116,15 +116,17 @@ dismissing it, as SRA cannot always definitively determine package usage. Not Available : SRA was not executed, so no reachability data exists. -> [!note] -> When a direct dependency is marked as in use, all its transitive dependencies are also marked as +{{< note >}} +When a direct dependency is marked as in use, all its transitive dependencies are also marked as in use. +{{< /note >}} -> [!note] -> Dependencies in excluded directories (paths matching `DS_EXCLUDED_PATHS`) might appear in the SBOM but be marked as **Not Found**. -This occurs when lock files are located outside excluded directories (for example, at the project root) but the source code that uses -those dependencies is inside excluded directories (for example, `tests/`). Dependency scanning includes all dependencies from the lock +{{< note >}} +Dependencies in excluded directories (paths matching `DS_EXCLUDED_PATHS`) might appear in the SBOM but be marked as **Not Found**. +This occurs when lock files are located outside excluded directories (for example, at the project root) but the source code that uses +those dependencies is inside excluded directories (for example, `tests/`). Dependency scanning includes all dependencies from the lock file in the SBOM, but SRA only scans source code in non-excluded paths. +{{< /note >}} ## Supported languages and package managers -- GitLab From 1c64b0b602d6908b1dd4d18686b2a740f1e7aa10 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Wed, 22 Oct 2025 16:29:54 +0300 Subject: [PATCH 08/11] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Russell Dickenson --- .../dependency_scanning/static_reachability.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index f02f921e1bd196..24ca72821a0be1 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -122,10 +122,10 @@ in use. {{< /note >}} {{< note >}} -Dependencies in excluded directories (paths matching `DS_EXCLUDED_PATHS`) might appear in the SBOM but be marked as **Not Found**. -This occurs when lock files are located outside excluded directories (for example, at the project root) but the source code that uses -those dependencies is inside excluded directories (for example, `tests/`). Dependency scanning includes all dependencies from the lock -file in the SBOM, but SRA only scans source code in non-excluded paths. +Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files +are in scope of dependency scanning but the source code that uses those dependencies is excluded. For example, you configure the +CI/CD variable `DS_EXCLUDED_PATHS` to exclude the directory `tests/` from dependency scanning. All dependencies identified from +the lock file are listed in the SBOM, but SRA does not scan source code in excluded paths. {{< /note >}} ## Supported languages and package managers -- GitLab From 0e39028bfbec09bb5d8d95e708fe4b134d34c9a6 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Wed, 22 Oct 2025 16:55:15 +0300 Subject: [PATCH 09/11] Add Not Found reachability value section --- .../static_reachability.md | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 24ca72821a0be1..349abcabc2887d 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -109,24 +109,21 @@ Yes : The package linked to this vulnerability is confirmed reachable in code. Not Found -: SRA ran successfully but did not detect usage of the vulnerable package. If a vulnerable -dependency's reachability value is shown as **Not Found**, exercise caution rather than completely -dismissing it, as SRA cannot always definitively determine package usage. +: SRA ran successfully but did not detect usage of the vulnerable package. Not Available : SRA was not executed, so no reachability data exists. -{{< note >}} When a direct dependency is marked as in use, all its transitive dependencies are also marked as in use. -{{< /note >}} - -{{< note >}} -Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files -are in scope of dependency scanning but the source code that uses those dependencies is excluded. For example, you configure the -CI/CD variable `DS_EXCLUDED_PATHS` to exclude the directory `tests/` from dependency scanning. All dependencies identified from -the lock file are listed in the SBOM, but SRA does not scan source code in excluded paths. -{{< /note >}} + +## Not Found reachability value +* If a vulnerable dependency's reachability value is shown as **Not Found**, exercise caution rather than completely + dismissing it, as SRA cannot always definitively determine package usage. +* Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files + are in scope of dependency scanning but the source code that uses those dependencies is excluded. For example, you configure the + CI/CD variable `DS_EXCLUDED_PATHS` to exclude the directory `tests/` from dependency scanning. All dependencies identified from + the lock file are listed in the SBOM, but SRA does not scan source code in excluded paths. ## Supported languages and package managers -- GitLab From ed67eeefbdaf5149d663530d1a8c6ff406921ec0 Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Wed, 22 Oct 2025 17:09:21 +0300 Subject: [PATCH 10/11] Lint --- .../dependency_scanning/static_reachability.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index 349abcabc2887d..bb66a791f3457a 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -118,6 +118,7 @@ When a direct dependency is marked as in use, all its transitive dependencies ar in use. ## Not Found reachability value + * If a vulnerable dependency's reachability value is shown as **Not Found**, exercise caution rather than completely dismissing it, as SRA cannot always definitively determine package usage. * Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files -- GitLab From bd56d6b91b360bc371314f0ecfc31c5cfba3452e Mon Sep 17 00:00:00 2001 From: Orin Naaman Date: Wed, 22 Oct 2025 17:18:47 +0300 Subject: [PATCH 11/11] Lint --- .../dependency_scanning/static_reachability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/static_reachability.md b/doc/user/application_security/dependency_scanning/static_reachability.md index bb66a791f3457a..0300c342132fb1 100644 --- a/doc/user/application_security/dependency_scanning/static_reachability.md +++ b/doc/user/application_security/dependency_scanning/static_reachability.md @@ -119,9 +119,9 @@ in use. ## Not Found reachability value -* If a vulnerable dependency's reachability value is shown as **Not Found**, exercise caution rather than completely +- If a vulnerable dependency's reachability value is shown as **Not Found**, exercise caution rather than completely dismissing it, as SRA cannot always definitively determine package usage. -* Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files +- Dependencies in excluded directories might appear in the SBOM but be marked as **Not Found**. This occurs when lock files are in scope of dependency scanning but the source code that uses those dependencies is excluded. For example, you configure the CI/CD variable `DS_EXCLUDED_PATHS` to exclude the directory `tests/` from dependency scanning. All dependencies identified from the lock file are listed in the SBOM, but SRA does not scan source code in excluded paths. -- GitLab