search

apache / incubator-streampark

Make stream processing easier! Easy-to-use streaming application development framework and operation platform.
https://streampark.apache.org/
Apache License 2.0
3.91k stars 1.01k forks source link

[Feature] enable dependabot security checks #1554

Closed pjfanning closed 2 years ago

pjfanning commented 2 years ago

Search before asking

Description

You can just enable Dependabot to autogenerate PRs for jars that have security issues. There is another mode where Dependabot generates PRs for all new releases of dependenncies. The latter can be noisy but just enabling it for security issues would be very useful.

I recently raised https://github.com/apache/incubator-streampark/pull/1548 (and a few others) and I wouldn't have had to if Dependabot was enabled.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security

Dependabot can also scan your Github Actions for pipeline issues - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

Usage Scenario

No response

Related issues

No response

Are you willing to submit a PR?

Code of Conduct

tisonkun commented 2 years ago

@wolfboys generally we don't assign others except they ask for it.

pjfanning commented 2 years ago

This is just a couple of clicks in the Security tab - but only project members can see these options.

tisonkun commented 2 years ago
image

From the page it seems all enabled. Closed as done.

wolfboys commented 2 years ago

This is just a couple of clicks in the Security tab - but only project members can see these options.

I can't see the "dependbot" in the Security tab, maybe should apply by email?

wolfboys commented 2 years ago

@wolfboys generally we don't assign others except they ask for it.

oh sorry.

pjfanning commented 2 years ago

Not sure why the 'Dependabot alerts' option does not appear - like the one in this image:

Screenshot 2022-09-09 at 15 41 38
tisonkun commented 2 years ago

@pjfanning It's possible that it requires admin permission, while all committers have only write permission.

You can file a JIRA issue on INFRA project. For example, https://issues.apache.org/jira/browse/INFRA-23432. Simply copying the description here may work.

pjfanning commented 2 years ago

@tisonkun I'm not part of the Streampark PMC, it would be better if someone from the PMC raised the INFRA issue. https://issues.apache.org/jira/browse/INFRA-23683 was one I raised for another ASF project (but I'm a PMC member of that project).

For instance, snakeyaml has another new release (1.32) that has another similar security fix.

tisonkun commented 2 years ago

it would be better if someone from the PMC raised the INFRA issue

This is not a requirement. Whether or not the proposer is a PMC member doesn't matter. But we do need to have a (lazy) consensus.