Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [scout-dev] new PRs using StepSecurity
  • From: Claudio Guglielmo <Claudio.Guglielmo@xxxxxxxxxxxxxxxx>
  • Date: Thu, 1 Jun 2023 07:10:57 +0000
  • Accept-language: de-CH, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 104.47.22.42) smtp.rcpttodomain=eclipse-foundation.org smtp.mailfrom=bsi-software.com; dmarc=bestguesspass action=none header.from=bsi-software.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tfm1KodEYtaWNelffAm4z/DoybhFjjYVZauK/52d4Jw=; b=TOoFUEbIuiYatsnaUUnOlRCYzPOn9J3GtzLeZ1VsXD1gzDPyuOYsGXZ3E7eFQboLPLfgeSetcEdl3ru5SzM5jbu1mD9VQKe8amP/uao6pIMAPoEcYmrhJloWgeSNN14C44nvC4pt2ZxrvgBZtZgRXdx0sHaVDmQyGXhJi5ezeKrCLuubnNu90V0B92ycH2C7oJrPp68lwgRudf5FE1GRkgYmb97PZ6hofdnMYoEbWQUyxhms1BmmMe97+mL8wznZLaxskxknTQLVj/1MdvsrGa04SKmqBi5E8RHa9sXGz3k/rDzDq7fsqo0CIPbVdGGGX7yee7C9jomInxLgYJ/6XA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P6WuXZsDhNO8mC9TTcG0++foEA7+tInAmSQT8q2HDEtEGUSdQagDrFXisP06yBRiF8EF7D51BuKIawCfLG7DA64rT6iTeV3BLo60W/pgBRJF+2LO8Cnu5kK6eAOFs+WcNUjBqdZIrXCFlOL0CzN0LpMeJ6XoK+4uBRlPWMFK9zsLpExghyorEPk/8PQKWVJ1JcGEBfF+RArJEWFZEmQozGvI68SGzwBCZMWshmSlqvJhbQaipAPnUmiLFMtwShSZK8Ijb/q/IDjc21WjHhOwGCwRwZccAGIClQ6iAKekH+zH871s+2t2G5DBi742RnTBYuHJLnjhzsbYpY3mK4Ve3g==
  • Delivered-to: scout-dev@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/scout-dev/>
  • List-help: <mailto:scout-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/scout-dev>, <mailto:scout-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/scout-dev>, <mailto:scout-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHZkt6gT1payuoF/Em7ZyGdjbU/bq91hRuQ
  • Thread-topic: [scout-dev] new PRs using StepSecurity

Hi Francisco

 

I accepted your PRs but I realized it is not working as expected. I thought it will only create pull requests for dependencies that have security issues which are fixed in a new version. But it creates a PR if there is a new version of the dependency available, even if it is a new major version. It even creates false positives for our internal modules (e.g. https://github.com/eclipse-scout/scout.rt/pull/609). That version bump is just wrong. The bot created 54 (!) PRs for our https://github.com/eclipse-scout/scout.rt repository.

 

We are closing the PRs right now since we cannot just update dependencies without testing them thoroughly. We update the dependencies on a regularly basis anyway, so I don’t think we really need the help of a bot.

Is it possible to configure dependabot that it will work as expected? If not I will have to revert your change.

 

Thank you

Claudio

 

Von: scout-dev <scout-dev-bounces@xxxxxxxxxxx> Im Auftrag von Francisco Perez via scout-dev
Gesendet: Dienstag, 30. Mai 2023 12:08
An: scout-dev@xxxxxxxxxxx
Cc: Francisco Perez <francisco.perez@xxxxxxxxxxxxxxxxxxxxxx>
Betreff: [scout-dev] new PRs using StepSecurity

 

Hi,

 

I am Francisco Perez, a member of the Eclipse Foundation security team. 

 

I am writing to you because we have analyzed all the repositories in the GitHub organization https://github.com/eclipse-scout/ using  Scorecard and we have found out some improvements could be made.

 

We will create an issue where we will summarize all the Security Best Practices identified and create PRs to help you with applying those Security Best Practices You may see some of those PRs coming from StepSecurity as this is a tool we use to help us implement those fixes at scale.. 

 

The PR above will cover some or all of the following best practices:

 

Please don’t hesitate and reach out if there is something unclear above.

 

Kind Regards,

Francisco Perez 

Open Source Software Engineer | Eclipse Foundation

Eclipse Foundation: The Platform for Open Innovation and Collaboration

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Back to the top