Closed kevin-niland closed 1 week ago
rgzr
commented
1 month ago I think it's a good idea. Something like this would be ok for you? https://github.com/rgzr/sshtun/releases/tag/v1.0.2
What worries me is me not keeping up to date with the last CVEs. If you open issues or directly make the PRs to fix them I am ready to release the versions with the fixed CVEs in the release notes.
kevin-niland
commented
1 month ago Yes, that looks good.
Haven't had to use GitHub directly for a while to but how did you become aware of the CVEs addressed in the latest version? Was it from the issue I opened or some scanning tool?
I think GitHub does scan for vulnerabilities associated with dependencies in your project but you could also incorporate the govulncheck tool somehow as well?
rgzr
commented
1 month ago It was from the issue you opened. I will have to look into how to incorporate vulnerabilities scanning in to the repo, but haven't never looked into it.
kevin-niland
commented
1 month ago I was just looking around for possible ways to scan for vulnerabilities - there is Dependabot that you might be able to use in Settings > Security & Analysis. The you need to create a .github/dependabot.yml file in the repo, I think:
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/" # Location of go.mod file
schedule:
interval: "daily"Thank you! Finally I scheduled the execution of govulncheck tool daily and on pushes and PRs.
https://github.com/rgzr/sshtun/commit/c1d5a83ef7c9fb970e45cb1135a5a2af15e67be9
The output of the executions is displayed in the Actions tab. I close the issue by now, feel free to reopen if you want to further improve this.
Hi @rgzr
I would like to propose an improvement to future releases of this library, whereby any CVEs that will be addressed in a particular version be listed in that version's release notes - similar to consul, for example.
We are considering using this library for a use case we have. We are required to address any CVEs that come about from using 3PPs, for example, so I think if each new version had a list of CVEs it addresses would make this process much simpler for us, and indeed other people also using this library.