Closed HumairAK closed 1 year ago
Okay looked into the current Snyk set up, and found that having Snyk only in downstream is super inconvenient.
I was able to successfully use the free Snyk version to import upstream repositories, and send some automated prs made by our dsp-developers bot
I resolved most of the errors for DSP repo, as they came from just upgrading the go version for apiserver, but some errors are coming from older python libraries, which we aren't really using, not direclty anyway. For example the sdk requirements.txt
is reporting:
As a critical vulnerability, but I'm not sure there's much we can do here, other than reporting it upstream and applying a fix there.
There are also certain components with similar vulnerable python packages, but we don't use these components, like visualization server. Should we just ignore these? or find a rule to ignore them in snyk?
My conclusion is that as a low hanging fruit we should follow up with a task to set up dsp-devs with the dspo/dsp repos configured to a free account upstream, but no automation to fix prs just yet. And follow up steps can be to set up alerting if vulnerabilities are found.
A downstream forker of DSP has scanned the DSP images via Snyk which are the same as the ones we use in upstream and found various Critical level issues that need to be addressed.
https://app.snyk.io/org/red-hat-openshift-data-science-rhods/projects?groupBy=targets&searchQuery=&sortBy=highest+severity&filters[Show]=vuln-groups&filters[Integrations]=&before&after&fromGitHubAuth=true
Acceptance criteria: