Gitlab

GitLab is a site and code repository management system for Git. Additional features include its own wiki and error tracking system. The software is available in the Omnibus package management system.

Performance indicators

2022: Loss of a third of capitalisation due to poor performance

GitLab's share price collapsed 38% in one day, causing the platform to lose more than a third of its value. This is due to weak financial indicators reflected in the report of March 13, 2023.

GitLab's revenue for the fiscal year, closed on January 31, 2023, reached $424.34 million. This is 68% more than the result for the previous fiscal year, when approximately $252.65 million was received. In total revenue in fiscal 2023, subscriptions and services SaaS (software as a service) accounted for $369.35 million. Another $54.99 million brought licensing.

Despite a 68% increase in revenue, Gitlab continues to make losses

At the same time, GitLab faced an increase in net losses. They amounted to $172.31 million against $155.14 million in fiscal 2022. In the future, the company is also preparing for losses, which provoked a rapid loss of capitalization.

The report notes that by the end of fiscal 2023, the number of customers with an ARR (annual regular income) of more than $5,000 reached 7002, which is 52% more on an annualized basis. The number of customers with ARR exceeding $100,000 was almost 700, showing an increase of 42% compared to the end of fiscal 2022. The number of customers with ARR over $1 million increased to 63, which is 62% more on an annualized basis. It is noted that from April 3, 2023, the cost of a subscription to GitLab Premium will rise from $19 to $29 per user per month.

The [GitLab] results were negatively affected by the macroeconomic situation, as sales cycles increased, and some of the company's customers suspended hiring and (or) were forced to reduce headcount, which provoked a drop in the profit retention ratio, said analyst Matthew Hedberg[1]

History

2024

FSTEC warned of critical vulnerability in popular developer platform GitLab

FSTEC has issued a warning that a critical vulnerability with the number BDU:2024-04858^[2] has been discovered in the joint development platforms GitLab Community Edition (CE) and Enterprise Edition (EE)^[3]which is associated with shortcomings in access delimitation. Exploitation of the vulnerability can allow an attacker acting remotely to execute arbitrary code by running pipes on behalf of other users. The manufacturer has already released updated versions 17.1.1, 17.0.3 and 16.11.5^[4], which fixes 14 vulnerabilities, of which BDU:2024-04858 is the most dangerous - it has a hazard rating of 9.6 out of 10 according to CVSS 3.1, but there are also three critical ones.

Many of our clients have their own development teams, since the speed of digitalization is important for them, "Askar Dobryakov, a leading expert in the protection of business applications" K2 Cybersecurity, "told TAdviser. - In 85% of cases, these teams use GitLab products, such as GitLab CI. The request for import substitution of these products is not yet relevant, since in Russia this segment of solutions is still in its infancy. In the new patch, GitLab has fixed 14 vulnerabilities at once. Among them: one critical, allowing you to run a pipeline on behalf of any user; Three high levels of criticality to enable access and data breach 9 mid-level and 1 low, mainly due to malfunction or circumvention of access restrictions within the system.

𝓲

GitLab

{{quote 'At the moment, according to the CyberOK SKIP platform, more than 14 thousand available GitLab services are observed in the Russian segment of the Internet, - Sergey Gordeichik, CEO of SayberOK, shared information with TAdviser. - At the same time, among them more than 60% with outdated and no longer supported versions (versions before 16.11). The latest GitLab fixes have fixed 14 vulnerabilities. Among them there is one critical and 3 vulnerabilities with a high level of importance/criticality:

• CVE-2024-5655 (CVSS3.1: 9.6, EPSS: 0.001) - the ability to start the pipeline on behalf of any user (a certain GitLab configuration is required);
• CVE-2024-4901 (CVSS3.1: 8.7, EPSS: 0.0004) - an XSS vulnerability that allows you to inject a malicious script into a project note that will be executed in the context of the user who opened this note;
• CVE-2024-4994 (CVSS3.1: 8.1) - CSRF vulnerability in the GraphQL API, which allows attackers to make arbitrary changes to GraphQL by changing legitimate requests of authenticated users;
• CVE-2024-6323 (CVSS3.1: 7.5, EPSS: 0.001) is an authorization processing error in the GitLab global search function that allows attackers to view search results from private repositories in public projects.

The basic metrics for assessing vulnerability criticality are quite high, but it should be noted that in order to exploit 3 out of 4 of these vulnerabilities, an attacker must successfully pass authorization in GitLab (obtain valid credentials and bypass other access controls), which greatly reduces the likelihood of mass exploitation.}}

It should be noted that according to Sergei Golovanov, chief expert at Kaspersky Lab, GitLab is usually not published on the Internet, but is used purely on the internal network as a storage for code, and access to it is organized via VPN for remote development. So, the number of actually installed products, but not available from the Internet, may be greater than what SCIP Internet search detects.

According to Askar Dobryakov, all errors were found in the Bug Bounty process (except for one reported by a member of the development team) and have no public exploits. However, vulnerabilities are dangerous in that they allow outsiders to embed their codes into any project developed on the platform. That is, conditions are created for embedding extraneous code in the developer's supply chain.

GitLab in Russia is a fairly popular framework used in most companies, "explained Luka Safonov, technical director of Garda WAF. - a vulnerability in the product has a severity of 9.6 out of 10 - this is very serious. With the help of such vulnerabilities, you can add your code to other people's projects.

The same opinion is shared by Semyon Rogachev, head of the incident response department of the system integrator for information security. "Bastion

Compromise of GitLab can lead to modification of code stored in repositories and, as a result, to attacks on the supply chain, he confirmed the danger of vulnerability to TAdviser. - In order to protect your data from leaks, it is important to regularly update GitLab, especially if it is available from the Internet. It is also necessary to periodically audit the activity in the repositories and GitLab itself: check authentication logs, commit - for malicious code, etc.

Askar Dobryakov believes that if an attacker can launch a pipeline on behalf of any user, then he can perform virtually everything that any user is allowed in the system: inject his own code, send the project to the assembly, bypass the coordination procedures (including information security). Moreover, in combination with other vulnerabilities, for example, using an XSS attack in a note (CVE-2024-4901), which allows you to perform some actions on behalf of a user or steal his authentication information, you can expand the scope of the attack and greatly increase the risks both for the developers themselves and for users of the software they develop.

However, according to Sergei Golovanov, "the discovered vulnerability potentially allows you to compromise the company's source codes, they can be copied and modified. However, in our practice, after the compromise of GitLab and the audit of the bookmarks, there were no bookmarks. " Actually, the vulnerability in GitLab was not discovered for the first time, but until recently, cases when hackers hacked into a joint development system with its help and built bookmarks for further distribution have not yet been recorded. However, now the attack on the supply chain is becoming more and more popular, so you should not exclude such a vector of attacks.

{{quote 'If the organization does not build a DevSecOps process, which provides for regular checks of published code, then the exploitation of the above vulnerabilities carries serious risks associated with the invisible embedding of malicious code into existing projects, - said Sergey Gordeichik. - Based on publicly available reports on information security incidents, most likely, such an insert of malicious code will be revealed only at the stage of investigation of an information security incident that has already occurred. Since GitLab is often one of the most critical systems for organizations that develop software, it is worth taking as seriously as possible to ensure the security of this service. In particular, several basic requirements must be met:

• provide a good and observable GitLab access control process;
• monitor changes and events of information security related to both access and user actions, and changes in the configuration of the service;
• check all published code changes and CD bindings;
• update the software regularly.}}

FSTEC itself recommends the following compensatory measures:

• Minimize user privileges
• disable/delete unused user accounts;
• Use firewalls to restrict remote access
• Use virtual private networks to organize remote access (VPN).

A "hole" in the GitLab platform allows you to intercept the password. More than 10 thousand servers in Russia are under threat

NCCC in mid-January 2024 warned of a critical CVE-2023-7028 vulnerability in the joint development platforms GitLab Community Edition and Enterprise Edition versions 16.1.0 - 16.7.1. They turned out to be vulnerable to an attack on intercepting a user account. The gap has a CVSS level of 10 out of 10, since the attack is easily implemented and executed remotely.

NCCC Warning

There is a fix for the vulnerability - in the specially released versions^[5] 16.7.2, 16.6.4 and 16.5.6 of the corresponding products.

The vulnerability appeared in version 16.6.0. It did not very correctly implement the functionality of resetting the password using an additional email address. That is, an attacker just needs to add his address as a backup to reset, and then use it to "restore" the password and gain full access to the account.

Exploits began to be published on GitHub, which indicates a high likelihood of attacks using this vulnerability. True, if two-factor authentication is installed, then although it is possible to reset the password using the vulnerability, it will not work to get full access to the account.

GitLab products turned out to be quite popular in Russia: the Netlas search engine found more than 10 thousand installations at Russian addresses. This is the third place in the global distribution of products. More only in Germany (19.6 thousand installations) and the USA (10.5 thousand). In total, there are 89.1 thousand installations in the world of vulnerable platforms.

Distribution of vulnerable GitLab products worldwide (Netlas source)

This is a large enough number to expect massive exploitation of this vulnerability. Moreover, it fits very well in the trends of today - attacks on supply chains. An attacker can use the vulnerability to connect to the collaborative development platform and embed his own bookmarks and implants in the code.

Since there are fixes, it is worth installing them, although for Russian users you will have to fulfill certain requirements for checking the security of the installed code. In any case, this is what the NCCCI recommends to do:

This vulnerability is fixed by the official patch of the vendor. Due to the current situation and the imposed sanctions against the Russian Federation, we recommend installing software updates only after assessing all associated risks.

In addition, it is worth enabling two-factor authentication for all platform participants as quickly as possible. This can be done without installing a new version.

At the same time, the company has the opportunity to detect an attack on its platform, it is only important to convince developers to report all the facts of unsuccessful attempts to seize their accounts to the enterprise information security service.

2023:7% staff cut

On February 9, 2023, GitLab, the main competitor to the GitHub platform, announced a staff reduction. The number of employees will decrease by 7%, which is associated with the crisis in the IT market and global economic challenges.

As the co-founder and CEO of GitLab, Sid Sijbrandij, said, in the current environment, corporate customers take a more conservative approach to investing in software and spend more time making decisions. The spending reallocation measures that were previously adopted at GitLab were not enough to counter the growing global economic downturn. Therefore, the company is forced to go to lay off employees.

GitLab cuts staff by 7% due to IT market crisis

I made the decision to reduce the size of our team by 7%. It was a very difficult decision and I understand it may be unexpected for some of you. We are sad to say goodbye to the talented workers who played an integral role in the development of GitLab, and I am grateful for their significant contribution. Unfortunately, we need to take further steps and bring our spending rates in line with the growth strategy, "Sijbrandiy said.

As of early 2022, GitLab had 1,630 employees. Based on this figure, approximately 114 people will lose their jobs. They will receive relying payments and severance pay equal to the basic salary for four months. In addition, the company will cover health insurance premiums for up to six months. GitLab will also provide employment support to furloughed employees at the new location: it includes consulting and resume drafting. The dismissed employees will be able to keep the equipment provided to themselves, including for the home office, subject to the security protocols of GitLab.^[6]

2022: Plan to remove free placed projects inactive during the year

On August 4, 2022, it became known that GitLab plans to amend the rules for using the service in September, according to which those projects placed on hosting the GitLab.com for free will be automatically deleted if they repositories remain inactive for 12 months. The rule changes have not yet been officially announced and are at the stage of internal planning.

The change is aimed at reducing maintenance costs hosting by freeing up resources for storage and handling abandoned projects and undeveloped forks. It is estimated that maintenance infrastructures for abandoned projects accounts for up to a quarter of all hosting costs GitLab.com and automatic cleaning of such projects will save up to a million a dollars year.

Prior to the actual deletion within a few weeks or months, the owners of applicants for the deletion of repositories will be notified with a warning about the need to confirm the relevance of the project. Only abandoned projects are planned to be deleted, the authors of which do not respond to warnings, no changes were noted in the repository during the year, fresh issue was not published and comments were not sent.

However, some community members see the proposed removal as a perverse practice, as code from inactive repositories can be used as a dependency in other projects remaining active. It is also noted that constant changes are not the goal of some authors who may well believe that the current state of their project has reached the optimal level, and the code is good enough and does not require improvement, or initially open up ready-made developments that are not planned to be developed, but which may be useful to others.

In addition, the code of inactive projects can be referenced by external resources, and deleting it will lead to the loss of a confirmed reference copy that can be referenced (unofficial copies do not guarantee no harmful activity), therefore, instead of deleting, it would probably be more optimal to put it in an archived state while maintaining the ability to access the code in read-only mode. To save disk space when storing garbage forks, you can use more effective methods of processing duplicates, for example, GitHub, to eliminate duplication data , stores together all objects from the main repository and related forks, logically dividing the ownership of commits^[7]

2021

Buying Opstrace Cloud Bug Platform Developer

In mid-December 2021, GitLab announced the purchase of Opstrace. The financial terms of the deal were not disclosed. Read more here.

Going public on Nasdaq

On October 14, 2021, Gitlab went public, listing its shares on the Nasdaq exchange under the ticker symbol GLTB.

As part of the IPO, the service for joint development of IT projects sold a total of 10.4 million securities at a price of $77 apiece, thanks to which the company was able to attract more than $800 million. Most of the shares (about 8.42 million) were placed by GitLab itself, and the remaining (1.98 million units) - an investor affiliated with the founder of the company.

According to Bloomberg, with a share price of $77 (the range was initially set at $66-69 per share), GitLab's market capitalization amounted to $11 billion.

Gitlab went public

According to the prospectus for the IPO, Gitlab intends to use the funds earned on the listing for corporate purposes and use as working capital. The main goal of the IPO was to increase the recognition of the company, as well as bring the shares to the open market.

By mid-October 2021, the number of Gitlab customers is approximately 3.6 thousand, including Goldman Sachs, UBS, Nvidia and Thomson Reuters. The company never had an office, all its employees (about 1.3 thousand people) work remotely.

Gitlab was going to go public earlier, but plans were revised due to the COVID-19 coronavirus pandemic.

Co-founder of the company Dmitry Zaporozhets in 2021 took 23rd place in the ranking of the richest Ukrainians according to Ukrainian Forbes. The entrepreneur's fortune is estimated at $450 million.

According to investors, Gitlab's business looks promising, including thanks to the COVID-19 coronavirus pandemic. The rapid spread of remote work sharply updated the issue of transferring a significant part of the operations of various industries online - this allows you to hope for downloading programmers who will actively use the company's software. In a sense, digitalization was actively going on before the pandemic, but now this process is being forced by both companies and states, they say.^[8]

2020: Buying Peach Tech and Fuzzit

In mid-June 2020, GitLab announced the acquisition of technology companies Peach Tech and Fuzzit with the aim of improving DevOps tools. Both startups develop information security software during the so-called odd testing (when random data is used as input to the system when testing software). Read more here.

2019: Attempted ban on Russian and Chinese employees

On November 5, 2019, it became known that the management of the Git-service Gitlab banned the admission of residents of Russia and China to its staff.

The initiative was proposed in mid-October 2019, and it speaks of the impossibility of Russians or Chinese to hold positions in Gitlab, one way or another related to access to the data of the company's customers. For example, they will not be able to work as engineers in operations, technical support or security. As of November 5, 2019, it is under discussion and has not entered into force, but according to the ZDNet resource, Russians have already begun to receive refusals to hire Gitlab.

According to the management, customers of the service fear that the Russians and Chinese will steal this information. Representatives of the service did not disclose the names of companies worried about the presence of Russians and Chinese in the Gitlab team, but as of November 5, 2019, its corporate clients included many large corporations from various fields, including information technology and banking.

Explaining its initiative, Gitlab management refers to several unnamed corporate clients of the service. Gitlab Vice President Eric Johnson noted that these clients are concerned about the geopolitical situation in the world and the attitude towards Russia and China around the world. Eric Johnson stressed that denying employment based on their place of residence or background has become the norm in today's IT industry. Nevertheless, writes ZDNet, he did not specify which other companies use similar principles when selecting candidates for office, and how often exactly Russians and the Chinese receive refusals.

As of November 5, 2019, Gitlab proposed not to hire only those who live or are in Russia or China. The origin of the applicant for the service position was not taken into account - if a Russian or Chinese live outside their native country, their chance of getting a job remained. All of these restrictions will not affect the current employees of the service - the management of Gitlab did not report their upcoming dismissal.

In addition, Gitlab will interfere with its employees in every possible way if they want to visit China or Russia for one reason or another. If a person works in a position in which he has access to the data of customers of the service, then he will face a choice - either he will abandon the idea of ​ ​ traveling to "banned" countries, or he will have to say goodbye to the position and start looking for work.

The discussion initiated by the Gitlab leadership as of November 5, 2019 was actively ongoing, and the ban on the admission of Russians and Chinese to work in the company was not introduced. The estimated date for the termination of dialogues on this topic is November 6, 2019, and the Gitlab management has not yet set a date for the restrictions to come into force.

At the same time, the non-admission of immigrants from Russia and China to positions with access to customer information in Gitlab is already in effect, although secretly - this was confirmed by the CEO of the service Sid Sijbrandij. He also said that the company's current employees will not lose their jobs due to the global geopolitical climate. At the same time, he did not explain whether Russians and Chinese working, for example, in Gitlab technical support, will be forced to move to another position, including, possibly, to a lower-paid one.

The Gitlab initiative caused a flurry of negative marks and comments, the number of which largely outweighed the positive and neutral responses of users. Those who disagreed with Gitlab's actions did not hesitate in expressions and wondered why the initiative of the service management affected these countries, and not any others.

A number of users noted that in October and November 2019. In the United States (Gitlab's head office is located in San Francisco), there was not a single law prohibiting the hiring of people from Russia and China, and even more so allowing to prevent existing employees in their desire to visit these countries^[9]

Notes