| Re: [scout-dev] new PRs using StepSecurity |
Hi Francisco,
Thank you for your response. Our main issue is not with single false positives, but that the proposed updates are simply version updates and not updates for security issues. I’m not sure whether the dependabot is configurable in a way that it only acts on security relevant dependency updates. If you have more experience in this regard your feedback would be very welcome. In the meantime we have procedures in place for timely security updates for dependencies and for regular updates to all dependencies; they are just not that visible and don’t depend on the GitHub infrastructure.
Regards,
Arthur
From: Francisco Perez <francisco.perez@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Thursday, 1 June, 2023 11:02
To: Arthur van Dorp <Arthur.vanDorp@xxxxxxxxxxxxxxxx>
Subject: Re: [scout-dev] new PRs using StepSecurity
Hi there,
Thanks for the feedback. I appreciate and I will work on how this PRs can be improved.
My understanding about https://github.com/eclipse-scout/scout.rt/pull/609 is that the file dependabot.yml is configured to scan all directories suggested by StepSecurity. As result, dependabot.yml is scanning dependencies in path /scout-hellojs-app/src/ as you may see from line 47 to 71. Unfortunately, it's very likely that the default configuration suggested may not suit the needs and some additional work may be needed on file dependabot.yml. Sorry about that.
So if a PR like 609 may not suit or it could end up in a false-positive, I would say that there could be some strategies to address this. Like changing schedule interval could be change to monthly or even, line 47 to 71 could be removed to avoid scanning the directory /scout-hellojs-app/src/.
I hope this helps.
Thanks,
Kind Regards,
Francisco Perez
Open Source Software Engineer | Eclipse Foundation
Eclipse Foundation: The Platform for Open Innovation and Collaboration
On Thu, Jun 1, 2023 at 9:35 AM Arthur van Dorp <Arthur.vanDorp@xxxxxxxxxxxxxxxx> wrote:
Hi all,
My current understanding is that dependabot security issues are raised at https://github.com/eclipse-scout/scout.rt/security/dependabot whereas the dependabot.yml doesn’t affect those alerts and only configures auto-update-PRs (not what we want). Even though both are called dependabot they serve different purposes.
Some people at StackOverflow disagree with my understanding though: https://stackoverflow.com/questions/64047526/how-to-get-dependabot-to-trigger-for-security-updates-only
Regards,
Arthur
--
BSI Business Systems Integration AG
Täfernweg 1, CH-5405 Baden
Telefon +41 58 255 93 23
www.bsi-software.com
From: scout-dev <scout-dev-bounces@xxxxxxxxxxx> On Behalf Of Claudio Guglielmo
Sent: Thursday, 1 June, 2023 09:11
To: Francisco Perez <francisco.perez@xxxxxxxxxxxxxxxxxxxxxx>
Cc: Mailing list for Eclipse Scout developer discussion <scout-dev@xxxxxxxxxxx>
Subject: Re: [scout-dev] new PRs using StepSecurity
Hi Francisco
I accepted your PRs but I realized it is not working as expected. I thought it will only create pull requests for dependencies that have security issues which are fixed in a new version. But it creates a PR if there is a new version of the dependency available, even if it is a new major version. It even creates false positives for our internal modules (e.g. https://github.com/eclipse-scout/scout.rt/pull/609). That version bump is just wrong. The bot created 54 (!) PRs for our https://github.com/eclipse-scout/scout.rt repository.
We are closing the PRs right now since we cannot just update dependencies without testing them thoroughly. We update the dependencies on a regularly basis anyway, so I don’t think we really need the help of a bot.
Is it possible to configure dependabot that it will work as expected? If not I will have to revert your change.
Thank you
Claudio
Von: scout-dev <scout-dev-bounces@xxxxxxxxxxx> Im Auftrag von Francisco Perez via scout-dev
Gesendet: Dienstag, 30. Mai 2023 12:08
An: scout-dev@xxxxxxxxxxx
Cc: Francisco Perez <francisco.perez@xxxxxxxxxxxxxxxxxxxxxx>
Betreff: [scout-dev] new PRs using StepSecurity
Hi,
I am Francisco Perez, a member of the Eclipse Foundation security team.
I am writing to you because we have analyzed all the repositories in the GitHub organization https://github.com/eclipse-scout/ using Scorecard and we have found out some improvements could be made.
We will create an issue where we will summarize all the Security Best Practices identified and create PRs to help you with applying those Security Best Practices You may see some of those PRs coming from StepSecurity as this is a tool we use to help us implement those fixes at scale..
The PR above will cover some or all of the following best practices:
- Apply least privilege principle to GITHUB_TOKEN
- Add or fine tune the use of Dependabot
- Pin GitHub actions to a full length commit SHA
Please don’t hesitate and reach out if there is something unclear above.
Kind Regards,
Francisco Perez
Open Source Software Engineer | Eclipse Foundation
Eclipse Foundation: The Platform for Open Innovation and Collaboration
