complete consolidation of Safety ignore-lists

freedomofpress / securedrop-tooling

Contains standard tooling configuration for SecureDrop repositories

GNU Affero General Public License v3.0

0 stars 0 forks source link

complete consolidation of Safety ignore-lists #14

Open cfm opened 10 months ago

cfm commented 10 months ago

Witness what's been needed to ignore Safety 61601 (urllib3 CVE-2023-43804) to date:

freedomofpress/fpf-misc-resources#22
freedomofpress/securedrop#7068
freedomofpress/securedrop-client#1670
Plus dismissing the alert in GitHub's UI

legoktm commented 10 months ago

Now that we have fpf-misc-resources is there value in the having per-repository safety jobs? My initial impression is that there isn't - the only thing it would catch is if we were adding a new library that happened to have a security vuln, but there's no guarantee it would get caught because CI uses the free safety repo that is up to a month behind, while the fpf-misc-resources job uses the up-to-date version.

zenmonkeykstop commented 10 months ago

I do think we should pick one - but I'm not sure this is the one that I would pick. In much the same way as we're looking at moving debian/s back into their respective repos to reduce overhead, these ignore lists relate to dependency manage within individual projects and are probably going to be easier to manage there. But for sure, the ~month delay is a pain.