Andrey-mp
commented
5 months ago what do you mean by "Snyk.io pull requests for package updates"? what exactly we need to test?
Open randybias opened 5 months ago
Andrey-mp
commented
5 months ago what do you mean by "Snyk.io pull requests for package updates"? what exactly we need to test?
randybias
commented
4 months ago Snyk.io finds existing and potentially future vulnerabilities based on doing repository analysis of open source projects on GitHub. It uses existing vulnerability databases, tracks dependencies, and then provides Pull Requests on GitHub to update packages, etc. to mitigate those vulnerabilities.
Check out https://snyk.io
You can join my group there with this link:
Join OpenSDN Security Group on Snyk
Snyk is relatively clueless about the Pull Requests it generates and so we have a lot of false positives such as this one:
https://app.snyk.io/org/randybias/project/e1e8cfef-72a2-41cf-9bd4-f565b3eb3c10
Which was triggered by this file in tf-controller:
However, per @Andrey-mp on the last call, a lot of these problems go away once Python2.7 is gone and we are fully over to Python3.
So most of this work will be parked for rel2 as rel1 will target deprecating Python2.7.
We need to look at the Snyk.io pull requests for package updates. I'm afraid to merge them randomly in case we break the build.