Closed relud closed 5 years ago
@whd @jklukas do you have opinions on whether this should be security updates or all updates?
If CI is expected to fully exercise the code, then we should be able to take all updates with confidence.
@jvehent: Re: https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist, do we have documentation somewhere on Java specific best practices/tools?
I'm not a java guy, but I think OWASP's dependency check might be useful. @psiinon maybe have tips too.
For ZAP we use:
Just give me a shout if you'd like any advice and guidance...
@jezdez has good things to say about https://dependabot.com/
Dependabot also supports Maven (in beta), so I'm going to investigate them a bit more.
Yep, I found it nicer than pyup and renovate.
Also it was recommended by foxsec people (@jvehent et al).
Enabling dependabot requires an admin for the GitHub org, so filed https://bugzilla.mozilla.org/show_bug.cgi?id=1506836
Access for dependabot is granted and I just did an initial setup. It's analyzing right now.
This is now running and dependabot issued ~8 PRs across both the python and Java bits of the codebase here. It also looks like it detects when a rebase is needed due to master changing, and it automatically updates its PR. I am impressed.
Per https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist