As part of FINOS infrastructure, we are enabling WhiteSource security scanning across all our hosted projects; this PR contains the bot configuration.
After this PR gets merged, I will personally enable the WhiteSource GitHub app and the scanning will begin: every build descriptor (ie pom.xml, package.json, etc) will be executed and all direct/transitive dependencies will be scanned for security vulnerabilities.
If any vulnerability is found, by default a new GitHub issue will be created, with all details needed by the team to investigate further; there may be false positives (ie vulnerabilities spotted on non-runtime dependencies), which must be tackled by updating the WhiteSource bot configuration.
Please note that the public scope of these issues may pose a security threat for production environments; if that is the case, I can help you configuring WhiteSource to send email notifications, instead of using public GitHub Issues.
WhiteSource app enabled; it appears that the .whitesource file must be updated AFTER the GitHub App is enabled; I sent a PR that includes a styling change to the file.
As part of FINOS infrastructure, we are enabling WhiteSource security scanning across all our hosted projects; this PR contains the bot configuration.
After this PR gets merged, I will personally enable the WhiteSource GitHub app and the scanning will begin: every build descriptor (ie pom.xml, package.json, etc) will be executed and all direct/transitive dependencies will be scanned for security vulnerabilities.
If any vulnerability is found, by default a new GitHub issue will be created, with all details needed by the team to investigate further; there may be false positives (ie vulnerabilities spotted on non-runtime dependencies), which must be tackled by updating the WhiteSource bot configuration.
Please note that the public scope of these issues may pose a security threat for production environments; if that is the case, I can help you configuring WhiteSource to send email notifications, instead of using public GitHub Issues.
More info on WhiteSource security scanning can be found on https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1129283585/WhiteSource+for+GitHub.com ; to know more about FINOS policies on how to manage a responsible disclosure of security issues, please read https://finosfoundation.atlassian.net/wiki/spaces/FINOS/pages/1230176257/Security+Vulnerabilities+Responsible+Disclosure+Policy
Thank you!