search

mozilla / servicebook-web

Web Frontend for the service book
Other
4 stars 10 forks source link

Switch from pyup.io to Dependabot #195

Closed stephendonner closed 5 years ago

stephendonner commented 5 years ago

r? @davehunt @tarekziade

coveralls commented 5 years ago

Coverage Status

Coverage remained the same at 84.956% when pulling b626c56ce631df6d00dcc401bdb29392f61788d0 on stephendonner:dependabot into 1424ed1f9b126a9cf2a43737aa22b0c7dba6bc4a on mozilla:master.

ckolos commented 5 years ago

Can I get some context on this switch? Our secops team has preferred pyup in the past

davehunt commented 5 years ago

Can I get some context on this switch? Our secops team has preferred pyup in the past

pyup.io doesn't have full support for Pipfile.lock, so it will update a dependency without considering transient dependency version/platform restraints. As we're using pipenv and Pipfiles, Dependabot provides a more robust and complete solution.

ckolos commented 5 years ago

I checked with secops and they have no issue with this change, but respectfully ask if you would also do as described here: https://pipenv.readthedocs.io/en/latest/advanced/#generating-a-requirements-txt

stephendonner commented 5 years ago

@ckolos I don't have a problem with that request, sure.

Questions:

1) can you point to an example where this is done for a Mozilla project? Just trying to get a sense of the workflow 2) do you want the resulting requirements.txt in-tree? 3) generated before merge time of PRs, such as these, which change requirements/dependencies, and then checked it alongside the Pipfile/Pipfile.lock?

Thanks again!

davehunt commented 5 years ago

I'm curious why this is being asked for? We're not using a requirements.txt, so what purpose would this fulfil? Also, as pipenv does not include hashes in generated requirements files, the resulting requirements file would be less secure than the Pipfile.lock, which includes all hashes.

ckolos commented 5 years ago 
Sec-wise Dependabot is preferable for this feature: https://dependabot.com/blog/automatically-respond-to-security-advisories/

Secops will run the pyup CLI tool in a jenkins security job and surface any relevant warnings. For that job and to have github's sec. alerts, it would be handy if they could sync and check in the requirements file: https://pipenv.readthedocs.io/en/latest/advanced/#generating-a-requirements-txt

This is what I've been told when asking about enabling this over pyup. I will 302 to secops should you have any objections.

davehunt commented 5 years ago

No objections. The requirements.txt can be generated using pipenv lock --requirements, and this can be passed to pyup's safety check tool as pipenv lock --requirements | safety check. We could add this as a pre-commit hook, or add it to Travis/Circle CI. If secops would prefer to run this, it should already be possible with pipenv available. Let us know how you'd like us to proceed.