search

open-telemetry / opentelemetry-js

OpenTelemetry JavaScript Client
https://opentelemetry.io
Apache License 2.0
2.76k stars 811 forks source link

[security] audit repository tooling #4101

Open codeboten opened 1 year ago

codeboten commented 1 year ago

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

pichlermarc commented 1 year ago

Hi @codeboten, thanks for opening this issue :slightly_smiling_face:

I was going through the items on the list and checked those which we already have enabled; I left out the ones I still have some open questions about (see points below):

codeboten commented 1 year ago

Are there any specific recommendations from the Security SIG on running CodeQL?

I asked the question to the security sig, and created https://github.com/open-telemetry/sig-security/issues/15 to track the recommendation.

Question: is any action necessary in this case? 🤔

I don't think there's any addiitonal steps no.

sakshi-1505 commented 1 year ago

Hi @pichlermarc @codeboten , I would prefer to contribute here. I can add codeql GitHub action & as far as staticcheck tool is considered, how about we use TSLint which is native typescript staticcheck tool?

dyladan commented 1 year ago

Hi @pichlermarc @codeboten , I would prefer to contribute here. I can add codeql GitHub action & as far as staticcheck tool is considered, how about we use TSLint which is native typescript staticcheck tool?

CodeQL seems like a good idea and a PR would be welcome. We are already using a linter which solves a different problem.

pichlermarc commented 1 year ago

We're already running CodeQL via GitHub Action. 🙂 Vulnerability checking is something that we still need to do. We could run npm audit --omit=dev for that though (some devDependencies we have to keep at an outdated version for now as we need to support older node runtimes). 🤔

github-actions[bot] commented 9 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] commented 4 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

pichlermarc commented 1 month ago

Hi, @codeboten quick question about this point:

Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)

With Dependabot alerts enabled (which is based on package-lock.json as far as I can tell), and eslint already in place doing some static checking, is there a need for a security-specific static analysis tool to be introduced? :thinking:

codeboten commented 1 month ago

@pichlermarc if those tools provide enough coverage for this repo, then I would say it is not needed

pichlermarc commented 1 month ago

@codeboten thanks for the quick response. I talked with some of the other maintainers yesterday, consensus was that the existing tooling provides us with enough coverage.

Looks like this can be closed as done :slightly_smiling_face: