search

finos / spring-bot

Spring Boot + Java Integration for Symphony/Teams Chat Platform Bots and Apps
https://springbot.finos.org
Apache License 2.0
60 stars 35 forks source link

Configure WhiteSource for GitHub.com #81

Closed mend-for-github-com[bot] closed 4 years ago

mend-for-github-com[bot] commented 4 years ago

Welcome to WhiteSource for GitHub.com! This is an onboarding PR to help you understand and configure settings before WhiteSource starts scanning your repository for security vulnerabilities.

:vertical_traffic_light: WhiteSource for GitHub.com will start scanning your repository only once you merge this Pull Request. To disable WhiteSource for GitHub.com, simply close this Pull Request.

What to Expect

This PR contains a '.whitesource' configuration file which can be customized to your needs. If no changes were applied to this file, WhiteSource for GitHub.com will use the default configuration.

Before merging this PR, Make sure the Issues tab is enabled. Once you merge this PR, WhiteSource for GitHub.com will scan your repository and create a GitHub Issue for every vulnerability detected in your repository.

If you do not want a GitHub Issue to be created for each detected vulnerability, you can edit the '.whitesource' file and set the 'minSeverityLevel' parameter to 'NONE'.

If WhiteSource Remediate Workflow Rules are set on your repository (from the WhiteSource 'Integrate' tab), WhiteSource will also generate a fix Pull Request for relevant vulnerabilities.

:question: Got questions? Check out WhiteSource for GitHub.com docs. If you need any further assistance then you can also request help here.

robmoffat commented 4 years ago

@maoo is this something to do with you? If so I'll merge it.

cheers, Rob

maoo commented 4 years ago

Yes @robmoffat , sorry for the lack of context. Adding an ongoing CVE check is part of the project onboarding. I'll also invite you to the WhiteSource dashboard, where you'll be able to check scan results.

Finally, I'll send you an additional PR against this (Auto-generated) file, to suppress public logging of issues (via GitHub Issues), in order to implement a more responsible workflow to address security, see https://finosfoundation.atlassian.net/wiki/spaces/FINOS/pages/1230176257/Security+Vulnerabilities+Responsible+Disclosure+Policy .

TY!

maoo commented 4 years ago

TY @robmoffat ! Could you please check issues being created on https://github.com/finos/symphony-java-toolkit/issues?q=is%3Aissue+is%3Aopen+label%3A%22security+vulnerability%22 ?

I'll disable GitHub Issues integration and use email notifications instead, to implement FINOS CVE responsible disclosure

TY!