relud
commented
5 years ago @whd @jklukas do you have opinions on whether this should be security updates or all updates?
Closed relud closed 5 years ago
relud
commented
5 years ago @whd @jklukas do you have opinions on whether this should be security updates or all updates?
jklukas
commented
5 years ago If CI is expected to fully exercise the code, then we should be able to take all updates with confidence.
pdehaan
commented
5 years ago @jvehent: Re: https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist, do we have documentation somewhere on Java specific best practices/tools?
jvehent
commented
5 years ago I'm not a java guy, but I think OWASP's dependency check might be useful. @psiinon maybe have tips too.
psiinon
commented
5 years ago For ZAP we use:
Just give me a shout if you'd like any advice and guidance...
jklukas
commented
5 years ago @jezdez has good things to say about https://dependabot.com/
jklukas
commented
5 years ago Dependabot also supports Maven (in beta), so I'm going to investigate them a bit more.
jezdez
commented
5 years ago Yep, I found it nicer than pyup and renovate.
jezdez
commented
5 years ago Also it was recommended by foxsec people (@jvehent et al).
jklukas
commented
5 years ago Enabling dependabot requires an admin for the GitHub org, so filed https://bugzilla.mozilla.org/show_bug.cgi?id=1506836
jklukas
commented
5 years ago Access for dependabot is granted and I just did an initial setup. It's analyzing right now.
jklukas
commented
5 years ago This is now running and dependabot issued ~8 PRs across both the python and Java bits of the codebase here. It also looks like it detects when a rebase is needed due to master changing, and it automatically updates its PR. I am impressed.
Per https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist