The team behind the development platform GitLab has announced that it plans to introduce a dependency firewall in the second half of 2024. Based on the policies function, it is intended to bring more security to the software supply chain by providing a first line of defense when downloading packages from the Internet. In addition, the new GitLab version 16.10 is now available with over ninety changes.
Advertisement
Prevent malicious code in the supply chain
As the GitLab team explains, the introduction of the Maven Dependency Proxy at the beginning of the year in version 16.8 did not only bring advantages: it increased the risk of attacks on the software supply chain through typosquatting – the use of a slightly modified package name for malicious code, that resembles a regular package name – or increases further dependency confusion attacks.
This is where the planned dependency firewall comes in: It is intended to prevent such attacks by warning about malicious packages or preventing their introduction into the supply chain, depending on a project's guidelines. Before packages are made available, the firewall should be able to send them to quarantine for review and manage them there. Behind this is the GitLab Policies function. The firewall should check every new packet against a policy. Using policies is reserved for GitLab users in the Ultimate Edition.
The planned policy for the dependency firewall should include the functions warn
and fail
own. GitLab users will be able to create a policy that will either trigger a warning or move packages to quarantine under specified conditions. As an example, the GitLab team cites blocking packages with critical security vulnerabilities from downloading, while only a warning appears for less critical vulnerabilities.
Details on the use of the planned firewall can be found in the GitLab blog and the corresponding epic.
GitLab 16.10 emphasizes semantic versioning in the CI/CD catalog
The new GitLab version 16.10 has already been released. One of more than ninety changes included is the introduction of semantic versioning for components published to the CI/CD catalog. This applies to GitLab users of all editions and is intended to ensure consistent behavior. When publishing a component, the tag must conform to three-digit semantic versioning, such as 1.0.0.
These and other innovations such as wiki templates and updates for the AI service GitLab Duo are listed in the GitLab blog.
(May)